Data converter and recording medium on which program for executing data conversion is recorded

ABSTRACT

A plurality of round processing parts ( 38 ) are provided each of which contains a nonlinear function part ( 304 ), and each nonlinear function part ( 304 ) comprises: a first key-dependent linear transformation part ( 341 ) which performs a linear transformation based on a subkey; a splitting part ( 342 ) which splits the output from the first key-dependent linear transformation part into n pieces of subdata; a first nonlinear transformation part ( 343 ) which nonlinearly transforms those pieces of subdata, respectively; a second key-dependent linear transformation part ( 344 ) which linearly transforms those nonlinearly transformed outputs based on a subkey and outputs n pieces of transformed subdata; a second nonlinear transformation part ( 345 ) which nonlinearly transforms those transformed subdata; and a combining part ( 346 ) which combines the nonlinearly transformed outputs. An n×n matrix, which represents the linear transformation in the second key-dependent linear transformation part ( 344 ), is formed by n vectors whose Hamming weights are equal to or larger than T−1 for a security threshold T, thereby increasing the invulnerability against differential cryptanalysis and linear cryptanalysis.

TECHNICAL FIELD

The present invention relates to a transformation device that is used ina cryptographic device for concealing data in data communication orstorage and, more particularly, to a data transformation device suitablefor use in an encryption device of a secret-key encryption algorithmwhich encrypts or decrypts data blocks using a secret key, and arecording medium on which there is recorded a program for execution bythe data transformation device.

PRIOR ART

With a view to constructing a fast and secure secret-key encryptionalgorithm, a block cipher is used according to which data for encryptionis split into blocks of a suitable length and encrypted for each block.Usually, the block cipher comprises a data diffusion part whichrandomizes input data to be encrypted, and a key scheduling part whichis supplied with a secret common key (hereinafter referred to as amaster key) input to the encryption device and generates a sequence ofsubkeys for use by the data diffusion part. A typical secret-keyencryption algorithm, which is used in the data transformation device toconceal data, is DES (Data Encryption Standard) that was FIPS-approvedalgorithm for encryption.

FIG. 1 illustrates the functional configuration of DES. DES uses a64-bit secret key (8 bits being used for parity), and encrypts ordecrypts data in blocks of 64 bits. In FIG. 1 the encryption process isexecuted in a data diffusion part 10, which begins with initialpermutation of 64 bits of a plaintext M in an initial permutation part11, followed by splitting the permuted data into two pieces of 32-bitblock data L₀ and R₀. The block data R₀ is input to a function operationpart (referred to also as a round function) 12 which is a datatransformation part shown as an i-th round processing part 14 _(i) (i=0,1, . . . , 15) in FIG. 2, wherein it is transformed to f(R₀, k₀) using a48-bit subkey k₀. The thus transformed data f(R₀, k₀) and the block dataL₀ are exclusive ORed in an XOR circuit 13, and its output and the blockdata R₀ are swapped to obtain the next block data L₁, R₁. That is,

R ₁ =L ₀ ⊕f(R ₀ , k ₀)

L ₁ =R ₀

where ⊕ represents an exclusive OR. A 0-th round processing part 14 ₀comprises the function operation part 12 and the XOR circuit 13 andswaps the two pieces of block data to provide the two pieces of outputblock data L₁ and R₁; similar round processing parts 14 ₁ to 14 ₁₅ areprovided in cascade. The processing by the i-th round processing part 14_(i) will hereinafter be referred to as i-th processing, where i=0, 1, .. . , 15. That is, each round processing part 14 _(i) (where 0≦i≦15)performs the following processing

R _(i+1) L _(i) ⊕f(R _(i) , k _(i))

L _(i+1) =R _(i)

And finally concatenation two pieces of data R₁₆ and L₁₆ into 64-bitdata, which is permuted in a final permutation part 15 to provide a64-bit ciphertext. Incidentally, the operation of the final permutationpart 15 corresponds to an inverse transform of the operation of theinitial permutation part 11.

The decryption process can be executed following the same procedure asthat for the encryption process except inputting subkeys k₀, k₁, . . . ,k₁₄, k₁₅ to the function f (the function operation part 12) in the orderk₁₅, k₁₄, . . . , k₁, k₀ which is reverse to that in the encryptionprocess. In such an instance, the outputs L₁₆ and R₁₆ from the finalround processing part 14 ₁₅ are further swapped as depicted, and in thedecryption process the ciphertext is input to the initial permutationpart 11 for execution of the process of FIG. 1, by which the plaintextis provided intact at the output of the final permutation part 15. In akey scheduling part 20 an expanded key generation part 21: splits amaster key of 64 bits, except 8 bits used for parity, into two pieces of28-bit right and left key data; then performs 16-round swapping of thetwo pieces of 28-bit right and left key data; and performs reducedpermutation of the permuted right and left data (a total of 56 bits)provided from the respective rounds to generate 16 48-bits subkeys k₀,k₁, . . . , k₁₄, k₁₅ which are provided to the corresponding roundprocessing parts of the data diffusion part 10.

The processing in the function operation part 12 is performed asdepicted in FIG. 2. To begin with, the 32-bit block data R_(i) istransformed to 48-bit data E(R_(i)) in an expanded permutation part 17.This output data and the subkey k_(i) are exclusive ORed in an XORcircuit 18, whose output is transformed to 48-bit data E(R_(i))⊕k_(i),which is then split to eight pieces of 6-bit sub-block data. The eightpieces of sub-block data are input to different S-boxes S₀ to S₇ toderive therefrom a 4-bit output, respectively. Incidentally, the S-boxS_(j) (where j=0, 1, . . . , 7) is a nonlinear transformation table thattransforms the 6-bit input data to the 4-bit output data, and is anessential part that provides security of DES. The eight pieces of outputdata from the S-boxes S₀ to S₇ are concatenated again to 32-bit data,which is applied to a permutation part 19 to provide the output f(R_(i),k_(i)) from the function operation part 12 as shown in FIG. 2. Thisoutput is exclusive ORed with L_(i) to obtain R_(i+1).

Next, a description will be given of cryptanalysis techniques. A varietyof cryptanalysis techniques have been proposed for DES and othertraditional secret-key encryption algorithms; extremely effectivecryptanalysis techniques among them are differential cryptanalysisproposed by E. Biham and A. Shmir, (“Differential Cryptanalysis ofDES-like Cryptosystems,” Journal of Cryptology, Vol. 4, No. 1, pp.3-72)and linear cryptanalysis proposed by Matsui, (“Linear CryptanalysisMethod for DES cipher,” Advances in Cryptology-EUROCRYPT' 93 (LectureNotes in Computer Science 765), pp. 386-397.)

Assuming that a difference between two pieces of data X and X* isdefined as

ΔX=X⊕X*,

differential cryptanalysis aims to obtain the subkey k₁₅ in the finalround processing part 14 ₁₅ by applying to the following equations twosets of plaintext-ciphertext pair that an attacker possesses. In theencryption process of FIG. 1, let (L_(i), R_(i)) and (L*_(i), R*_(i))represent input data into the round processing part 14 _(i) for firstand second plaintexts respectively. With the difference defined asmentioned above, the following equations hold.

ΔL _(i) =L _(i) ⊕L* _(i)

ΔR _(i) =R _(i) ⊕R* _(i)

In FIG. 1, since L₁₅=R₁₄, L*₁₅=R*₁₄, L₁₆=R₁₅ and L*₁₆=R*₁₅, thefollowing equations hold

R ₁₆ =L ₁₅ ⊕f(R ₁₅ , k ₁₅)

R* ₁₆ =L* ₁₅ ⊕f(R* ₁₅ , k ₁₅)

and the exclusive OR of both sides of these two equations is obtained asfollows:

ΔR ₁₆ =ΔL ₁₅ ⊕f(L ₁₆ , k ₁₅)⊕f(L ₁₆ ⊕ΔL ₁₆ ,k ₁₅).

The exclusive ORing of its both sides with ΔR₁₄=ΔL₁₅ gives the followingequation:

 f(L ₁₆ , k ₁₅)⊕f(L ₁₆ ΔL ₁₆ , k ₁₅)=ΔR ₁₆ ⊕ΔR ₁₄.

At this time, since L₁₆, ΔL₁₆ and ΔR₁₆ are data available from theciphertext, they are known information. Hence, if the attacker cancorrectly obtain ΔR₁₄, then only k₁₅ in the above equation is an unknownconstant; the attacker can find a correct k₁₅ without fail by anexhaustive search for k₁₅ using the known sets of plaintext-ciphertextpair. Accordingly, once the subkey k₁₅ is found out, the remaining eight(i.e., 56-48) bits can easily be obtained even by another exhaustivesearch.

On the other hand, generally speaking, it is difficult to obtain ΔR₁₄since this value is an intermediate difference value. Then, assume thateach round processing is approximated by the following equations with aprobability p_(i) in the 0-th to the last round but one (i.e.; the14-th):

ΔR _(i+1) =ΔL _(i) ⊕Δ{f(ΔR _(i))}

ΔL _(i+1) =ΔR _(i+1).

The point is that, when certain ΔR_(i) is input to the i-th roundprocessing part, Δ{f(ΔR_(i))} can be predicted with the probabilityp_(i) regardless of the value of the subkey k_(i). The reason why suchapproximations can be made is that, the S-boxes, which are nonlineartransformation tables, provide an extremely uneven distribution ofoutput differences for same input differences. For example, in the S-boxS₀, an input difference “110100₍₂₎” is transformed to an outputdifference “0010₍₂₎” with a probability of 1/4. Then, the approximationfor each round is obtained by assuming that the S-boxes are each capableof predicting the relationship between the input difference and theoutput difference with a probability P_(si) and by combining them.Furthermore, the concatenation of such approximations in the respectiverounds makes it possible to obtain ΔR₁₄ from ΔL₀ and ΔR₀ (ΔL₀ and ΔR₀are data derivable from the plaintext, and hence they are known) with aprobability P=Π_(i=0) ¹³p_(i). Incidentally, the higher the probabilityP, the easier the cryptanalysis. After the subkey k₁₅ is thus obtained,a similar calculation is made of the subkey k₁₄ regarding it as a15-round DES that is one round fewer than in the above; such operationsare repeated to obtain the subkeys one by one to k₀.

It depends on the probability P whether this cryptanalysis succeeds; thehigher the probability P, the more likely the success. Biham et al. saythat DES could be broken by this cryptanalysis if 2⁴⁷ sets of chosenplaintext-ciphertext pair are available.

Linear cryptanalysis aims to obtain subkeys by constructing thefollowing linear approximate equation and using the maximum likelihoodmethod with sets of known plaintext-ciphertext pair possessed by anattacker.

(L ₀ , R ₀)Γ(L ₀ , R ₀)⊕(L ₁₆ , R ₁₆)Γ(L ₁₆ , R ₁₆)=(k ₀ , k ₁ , . . . ,k ₁₅)Γ(k₀ , k ₁ , . . . , k ₁₅)

where Γ(X) represents the vector that chooses a particular bit positionof X, and it is called a mask value.

The role of the linear approximation expression is to approximatelyreplace the cryptographic algorithm with a linear expression andseparate it into a part concerning the set of plaintext-ciphertext pairsand a part concerning the subkeys. That is, in the set ofplaintext-ciphertext pairs, the all exclusive Ors between the values atparticular bit positions of the plaintext and those of the ciphertexttake a fixed value, which indicates that it equals the exclusive OR ofthe values at particular positions of the subkeys. This means that theattacker gets information

(k₀, k₁, . . . , k₁₅)Γ(k₀, k₁, . . . , k₁₅) (one bit)

from information

(L₀, R₀)Γ(L₀, R₀)⊕(L₁₆, R₁₆)Γ(L₁₆, R₁₆).

At this time, (L₀, R₀) and (L₁₆, R₁₆) are the plaintext and theciphertext, respectively, and hence they are known. For this reason, ifthe attacker can correctly obtain Γ(L₀, R₀), Γ(L₁₆, R₁₆) and Γ(k₀, k₁, .. . , k₁₅), then he can obtain (k₀, k₁, . . . , k₁₅)Γ(k₀, k₁, . . . ,k₁₅) (one bit).

In DES only S-boxes perform nonlinear transformation; hence, if linearrepresentations can be made for only the S-boxes, the linearapproximation expression can easily be constructed. Then, assume thatthe each S-box can be linearly represented with a probability p_(si).The point here is that when the input mask value for the S-box is given,its output mask value can be predicted with the probability p_(si). Thereason for this is that the S-boxes, which form a nonlineartransformation table, provide an extremely uneven distribution of outputmask values according to the input mask values. For example, in theS-box S₄, when the input mask value is “010000₍₂₎,” an output mask value“1111₍₂₎” is predicted with a probability 3/16. By combining the maskvalues in these S-boxes, a linear representation of each round with theinput and output mask values can be made with a probability p_(i), andby concatenating the linear representations of the respective rounds,Γ(L₀, R₀), Γ(L₁₆, R₁₆)and Γ(k₀, k₁, . . . , k₁₅) are obtained wit thefollowing probability:

P=1/2+2¹⁵Π_(i=0) ¹⁵ |p _(i)−1/2|.

The higher the probability P, the easier the cryptanalysis.

According to Matsui, he has succeeded in the analysis of DES by thiscryptanalysis using 2⁴³ sets of known plaintext-ciphertext pair.

To protect ciphers against the above cryptanalysis techniques, theprobability P needs only to be reduced to be sufficiently small. A widevariety of proposals have been made to lessen the probability P, and theeasiest way to provide increased security in the conventionalcryptosystems is to increase the number of rounds. For example,Triple-DES with three DESs concatenated is an algorithm that essentiallyincreases the number of rounds from 16 to 48, and it provides a farsmaller probability P than does DES.

However, to increase the number of rounds with a view to avoiding thecryptanalysis techniques described above inevitably sacrifices theencryption speed. For example, if the number of rounds is tripled, theencryption speed is reduced down to ⅓. That is, since the encryptionspeed of the present DES is about 10 Mbps on the Pentium PC class, theencryption speed of Triple-DES goes down to around 3.5 Mbps. On theother hand, networks and computers are becoming increasingly faster yearby year, and hence there is also a demand for data transformationdevices that keep up with such speedups. With conventional datatransformation devices, it is extremely difficult, therefore, tosimultaneously meet the requirements of security and speedup.

Moreover, according to differential and linear cryptanalysis, the subkeyin the final round is obtained as described above. Since DES has adefect that the main key can easily be derived from the subkey in thefinal round, there is proposed in U.S. Pat. No. 4,850,019: a methodwhich provides increased security by increasing the complexity of thecorrespondence between the subkeys and the main key in the keyscheduling part 20. Its fundamental configuration is shown in FIG. 3. Inthe above-mentioned U.S. patent, the subkeys are generated from the mainkey by data diffusion parts (f_(k)), therefore it is expected that themain key cannot easily be derived from the subkeys.

Next, a description will be given, with reference to FIG. 3, of thegeneral outlines of a key scheduling part 20 disclosed in theabove-mentioned U.S. patent. An expanded key generation part 21comprises N/2 (N=16, for example) rounds of key processing parts 21 ₀ to21 _(N/2−1) which have key diffusion parts 22 ₀ to 22 _(N/2−1),respectively. The key processing parts 21 _(j) (where j=0, 1, . . . ,N/2−1) each perform diffusion processing of two pieces of 32-bit rightand left key data, and interchange them to provide two pieces of rightand left key data for input to the next-round key processing part 21_(j+1). The key processing parts 21 _(j), except the first round, eachhave an exclusive OR part 23 _(j), which calculates the exclusive OR ofthe left input key data to the key processing part 21 _(j−1) of thepreceding round and the left output key data therefrom and provides thecalculated data to the key diffusion part 22 _(j). The left input keydata of the key processing part 21 _(j) is diffused by the output fromthe exclusive OR part 23 _(j) in the key diffusion part 22 _(j), fromwhich the diffused data is output as right key data for input to thenext round, and the right input key data of the key processing part 21_(j) is output as left key data for input to the next round. The outputfrom each key diffusion part 22 _(j) is bit-split into two subkeysQ_(2j) and Q_(2j+1) (that is, k_(i) and k_(i+1)), which are provided tothe corresponding (i=2_(j))-th round processing part and (i+1=2j+1)-thround processing part in FIG. 1.

The 64-bit main key is split into two pieces of 32-bit right and leftkey data, then in the first-round key processing part 21 ₀ the left keydata is diffused by the right key data in the key difflusion part 22 ₀to obtain diffused left key data, and this diffused left key data andthe right key data are interchanged and provided as right and left keydata next to the key processing part 21 ₁. The outputs from the keydiffusion parts 22 ₀ to 22 _(N/2−1) of the key processing parts 21 ₀ to21 _(N/2−1) are applied as subkeys k₀ to k_(N−1) to the correspondinground processing parts 14 ₀ to 14 _(N−1) of the data diffusion part 10depicted in FIG. 1.

In the expanded key generation part 21 of FIG. 3, however, each keydiffusion part 22 _(j) is a function for generating a pair of key data(subkeys Q_(2j), Q_(2j+1)) from two pieces of input data. In the casewhere when one of the two pieces of input data and the output data areknown the other input data can be found out, if it is assumed that threepairs of subkeys (Q_(2j−2) and Q_(2j−1)), (Q_(2j) and Q_(2j+1)),(Q_(2j+1) and Q_(2j+3)) are known, since the output (subkeys Q_(2j+2)and Q_(2j+3)) from the (j+1)-th key diffusion part 22 _(j+1) and the oneinput data (subkeys Q_(2j−2) and Q_(2j−1)) thereto are known, the otherinput data (i.e., the output data from the exclusive OR part 23 _(j+1))can be obtained; and it is possible to derive, from the thus obtaineddata and the subkeys Q_(2j) and Q_(2j+1) which constitute the one inputdata to the exclusive OR part 23 _(j+1), the input data to the precedingj-th) key diffusion part 22 _(j) which constitute the other input datato the exclusive OR part 23 _(j+1), that is, the subkeys Q_(2j−4) andQ_(2j−3) which constitute the output from the three-round-preceding((j−2)-th) key diffusion part 22 _(j−2). By repeating such operations ina sequential order, it is possible to determine all subkeys through dataanalysis only in the key scheduling part 20 without involving dataanalysis in the data diffusion part 10. It has been described just abovethat when subkeys of three consecutive rounds are known, all the subkeysconcerned can be obtained, but when subkeys of two consecutive rounds,cryptanalysis will succeed even by estimating subkeys of the remainingone round by an exhaustive search.

Letting the final stage of the round processing in FIG. 1 be representedby i=N, subkeys k_(N) and k_(N−1) are easy to obtain by differential andlinear cryptanalysis. By analyzing the key data in the expanded keyscheduling part 21 as described above using the obtained subkeys, thereis the possibility of obtaining all the subkeys concerned.

A first object of the present invention is to provide a datatransformation device in which the round function f (the functionoperation part) is so configured as to simultaneously meet therequirements of security and speedup to thereby ensure security andpermit fast encryption processing without involving a substantialincreases in the number of rounds, and a recording medium havingrecorded thereon a program for implementing the data transformation.

A second object of the present invention is to implement a keyscheduling part which does not allow ease in determining other subkeysand the master key by a mere analysis of the key scheduling part even ifsome of the subkeys are known.

DISCLOSURE OF THE INVENTION

To attain the first object of the present invention, a nonlinearfunction part, in particular, comprises: a first key-dependent lineartransformation part which linearly transforms input data of thenonlinear function part based on first key data stored in a key storagepart; a splitting part which splits the output data of the firstkey-dependent linear transformation part into n pieces of subdata; firstnonlinear transformation parts which nonlinearly transform these piecesof subdata, respectively; a second key-dependent linear transformationpart which linearly transforms respective pieces of output subdata ofthe first nonlinear transformation parts based on second key data;second nonlinear transformation parts which nonlinearly transformrespective pieces of output subdata of the second key-dependent lineartransformation part; and a combining part which combines outputsubblocks of the second nonlinear transformation part into output dataof the nonlinear function part; and the second key-dependent lineartransformation part contains a linear transformation part which performsexclusive ORing of its inputs which is defined by an n×n matrix.

According to the present invention, it is guaranteed that when thedifferential probability/linear probability in the first and secondnonlinear transformation parts is p (<1), the differentialprobability/linear probability of approximating each round is p_(i)≦p²(when the input difference to the function f(the nonlinear functionpart) is not 0 in the case of differential cryptanalysis, and when theoutput mask value from the function is not 0 in the case of linearcryptanalysis). And when the function f is objective, if the number ofrounds of the cryptographic device is set at 3r, then the probability ofthe cipher becomes P≦p_(i) ^(2r)≦p^(4r). Furthermore, if the secondkey-dependent linear transformation part in the case of n=4, inparticular, has a configuration that exclusive ORs combination of threeof four pieces of subdata with one of four pieces of key data, theprobability of approximating each round is p_(i)≦p⁴ and the probabilityof the cipher is P≦p_(i) ^(2r)≦p^(8r). If the second key-dependentlinear transformation part in the case of n=8 has a configuration thatexclusive ORs combination of six or five of eight pieces of subdata withone of eight pieces of key data, the probability of approximating eachround is p_(i)≦p⁵ and the probability of the cipher is P≦p_(i)^(2r)≦p^(10r).

Moreover, the first and second nonlinear transformation parts arearranged so that their processing can be performed completely inparallel—this contributes to speedup.

It is possible, therefore, to construct a fast and source nonlinearfunction against differential and linear cryptanalysis, and to permitthe implementation of a data transformation device which copes with bothsecurity and speedup.

To attain the second object of the present invention, the key schedulingpart is provided with: a G-function parts which perform the samefunction as that of the key diffusion part (the function f_(k)), Lcomponents which are output from the G-function parts being once storedin a storage part; and an H-function part which reads out a requirednumber of L components from the storage part and generates subkeys byextracting the respective L components as uniformly as possible.Furthermore, in the H-function part partial information, which is usedas subkeys, is extracted from the L components which are outputs fromthe G-function parts, then the extracted information is stored in astorage part, and the subkeys are generated by extracting the partialinformation from the required number of L components.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram depicting the functional configuration of aconventional DES cryptographic device.

FIG. 2 is a diagram depicting a concrete functional configuration of afunction operation part 12 in FIG. 1.

FIG. 3 is a diagram depicting an example of an expanded key generationpart 21 in FIG. 2.

FIG. 4 is a diagram illustrating the functional configuration of thefirst embodiment of the present invention.

FIG. 5 is a diagram showing in detail an example of the functionalconfiguration of a nonlinear function part 304 in the first embodiment.

FIG. 6 is a diagram showing a basic configuration of a nonlinearfunction part for determining an optimal linear transformation part inFIG. 5.

FIG. 7 is a diagram depicting a concrete example of the secondkey-dependent linear transformation part 344 in FIG. 5.

FIG. 8A is a diagram depicting an equivalent functional configuration ofa nonlinear transformation part 343 ₀′ in the second embodiment.

FIG. 8B is a diagram depicting a equivalent functional configuration ofa nonlinear transformation part 343 ₁′ in the second embodiment.

FIG. 8C is a diagram depicting an equivalent functional configuration ofa nonlinear transformation part 343 ₂′ in the second embodiment.

FIG. 8D is a diagram depicting an equivalent functional configuration ofa nonlinear transformation part 343 ₂′ in the second embodiment.

FIG. 9 is a diagram showing the functional configuration of a secondkey-dependent linear transformation part 344 in the second embodiment.

FIG. 10 is a diagrqm showing the functional configuration of a nonlinearfunction part 343 ₀ (345 ₀) in the third embodiment.

FIG. 11 is a flowchart showing the procedure for implementing a datatransformation by a computer.

FIG. 12 is a flowchart showing in detail the procedure of step S3 inFIG. 11.

FIG. 13 is a diagram depicting the functional configuration of thefourth embodiment of the present invention.

FIG. 14 is a diagram depicting the functional configuration of anonlinear function part 304 in FIG. 13.

FIG. 15A is a diagram depicting a linear transformation part 334A of alimited structure intended to reduce the computational complexityinvolved in search.

FIG. 15B is a diagram depicting an example of configuration of onetransformation box in FIG. 15A.

FIG. 16 is a diagram depicting an example of the configuration of alinear transformation part 344A determined by the search algorithm.

FIG. 17 is a diagram depicting an example of the functionalconfiguration of a second key-dependent linear transformation part 344in FIG. 14 in the fourth embodiment.

FIG. 18 is a diagram depicting another example of the functionalconfiguration of a second key-dependent linear transformation part 344in FIG. 14 in the fourth embodiment.

FIG. 19 is a diagram depicting still another example of the functionalconfiguration of a second key-dependent linear transformation part 344in FIG. 14 in the fourth embodiment.

FIG. 20A is a diagram illustrating the functional configuration of anonlinear transformation part 343 ₀′ in the fifth embodiment.

FIG. 20B is a diagram illustrating the functional configuration of anonlinear transformation part 343 ₁′.

FIG. 20C is a diagram illustrating the functional configuration of anonlinear transformation part 343 ₇′.

FIG. 21 is a diagram showing the functional configuration of a secondkey-dependent linear transformation part 344 in the fifth embodiment.

FIG. 22 is a diagram showing a configuration for executing a dataprocessing program recorded on a recording medium.

FIG. 23A is a block diagram depicting the basic functional configurationof a key generation part according to the present invention.

FIG. 23B is a block diagram depicting the basic functional configurationof another key generation part according to the present invention.

FIG. 24 is a block diagram depicting an example of the functionalconfiguration of an intermediate key generation part 220 in FIGS. 23A or23B.

FIG. 25 is a block diagram depicting the functional configuration of aG-functional part in FIG. 24 when the present invention is applied to akey scheduling part in FIG. 3.

FIG. 26 is a block diagram depicting the functional configuration of asubkey generation part 240 in FIG. 23A when the present invention isapplied to a key scheduling part in FIG. 3.

FIG. 27 is a block diagram depicting an example of the functionalconfiguration of a subkey generation part 250 in FIG. 23B when thepresent invention is applied to a key scheduling part in FIG. 3 (In thisembodiment the subkey generation part contains an H-function partequipped with a bit extraction function).

FIG. 28 is a block diagram depicting the functional configuration of theG-function part 22 designed for the application of the present inventionto a Feistel cipher which uses 128 bits as one block.

BEST MODE FOR CARRYING OUT THE INVENTION

First Embodiment

An embodiment of the present invention will be described below withreference to the accompanying drawings.

FIG. 4 illustrates the functional configuration for an encryptionprocess in the data transformation device according to an embodiment ofthe present invention. The data transformation device comprises a datadiffusion part 10 and a key scheduling part 20. In the datatransformation device according to the present invention, too, the datadiffusion part 10 comprises N rounds of cascade-connected roundprocessing parts 38 ₀ to 38 _(N−1) which sequentially perform roundprocessing of left and right pieces of data after input data is splitinto left and right pieces L₀, R₀; each round processing part 38 _(i)(where i=0, 1, . . . , N−1) is made up of a nonlinear function part 304corresponding to the function operation part 12 in FIG. 1, a linearoperation part 305 corresponding to the XOR circuit 13 in FIG. 1 and aswapping part 306.

Input data M, which corresponds to a plaintext, is entered into thecryptographic device via an input part 301. The key scheduling part 20comprises a key input part 320, a expanded key generation part 321 and akey storage part 322. Based on input data (a master key K) from the keyinput part 320, the expanded key generation part 321 generates pluralpieces of key data (subkeys)

{fk; k₀₀, k₀₁; k₁₀, k₁₁, k₁₂; . . . ; k_((N−1)0), k_((N−1)1),k_((N−1)2); ek}

which are stored in the key storage part 322. The input data M istransformed in a key-dependent initial transformation part 302 with thekey data fk stored in the key storage part 322, thereafter being splitin an initial splitting part 303 into two pieces of left and right blockdata L₀ and R₀. For example, 64-bit data is split into two pieces of32-bit block data L₀ and R₀. The key-dependent initial transformationpart 302 performs a linear transformation such as exclusive ORing of thekey data fk and the input data M or bit rotation of the input data M bythe key data fk, or nonlinear transformation by a combination ofmultiplications.

The right block data R₀ is provided to the nonlinear function part 304which is characteristic of the present invention, together with the keydata k₀₀, k₀₁ and k₀₂ stored in the key storage part 322, and in thenonlinear function part 304 the right block data is nonlinearlytransformed to data Y₀. The data Y₀ and the left block data L₀ aretransformed to data L₀* through a linear operation in the linearoperation part 305. The data L₀* and the data R₀ are swapped in theswapping part 306 to provide L₁←R₀, R₁←L₀*; and these pieces of data L₁and R₁ are input to the next first round processing part 38 ₁.

Thereafter, in an i-th round processing parts 38 _(i) (where i=0, 1, . .. , N−1) the same processing as mentioned above is repeated for twopieces of input block data L_(i) and R_(i). That is, the right blockdata R_(i) is input to the nonlinear function part 304 together with thekey data k_(i0), k_(i1) and k_(i2), and in the nonlinear function part304 it is nonlinearly transformed to data Y_(i). The data Y_(i) and thedata L_(i) are transformed to data L_(i)* by a linear operation in thelinear operation part 305. The data L_(i)* and the data R_(i) areswapped in data position in the swapping part 306, that is,L_(i+1)←R_(i), R_(i+1)←L_(i)*. The linear operation part 305 is toperform, for instance, an exclusive OR operation.

Letting N represent the repeat count (the number of rounds) suitable toprovide security of a data transformation device for encryption, twopieces of left and right data L_(N) and R_(N) are obtained as the resultof such repeated processing by the round processing parts 38 ₀ to 38_(N−1). These pieces of data L_(N) and R_(N) are combined into a singlepiece of block data in a final combining part 307; for example, the twopieces of 32-bit data L_(N) and R_(N) are combined to 64-bit data. Thenthe thus combined data is transformed in a final linear transformationpart 308 using the key data ek stored in the key storage part 322, andoutput data C is provided as a ciphertext from an output part 309.

In decryption, the plaintext M can be derived from the ciphertext C byreversing the encryption procedure. In particular, when thekey-dependent final transformation part 308 is one that performs atransformation inverse to that of the key-dependent initialtransformation part 302, the decryption can be done by inputtingciphertext data in place of the input data in FIG. 4 and then inputtingthe key data in a sequential order reverse to that in FIG. 4, that is,ek, k_((N−1)0), k_((N−1)1), k_((N−1)2), . . . , k₁₀, k₁₁, k₁₂, k₀₀, k₀₁,k₀₂, fk.

Next, a detailed description will be given of the internal configurationof the nonlinear function part 304. FIG. 5 is a diagrammatic showing ofthe internal functional configuration of the nonlinear function part304.

The input block data R_(i) to the i-th round processing part 38 _(i)constitutes input data to the nonlinear function part 304, together withthe key data k_(i0), k_(i1), k_(i2) stored in the key storage part 322.The block data R_(i) is subjected to, for example, exclusive ORing withthe key data k_(i0) in a first key-dependent linear transformation part341, by which it is linearly transformed to data R_(i)*=R_(i)⊕k_(i0).Next, the thus transformed data R_(i)* is split into four pieces of, forinstance, 8-bit data in₀, in₁, in₂ and in₃ in a splitting part 342. Thefour pieces of data in₀, in₁, in₂ and in₃ are nonlinearly transformed tofour pieces of data mid₀₀, mid₀₁, mid₀₂ and mid₀₃ in nonlineartransformation parts 343 ₀, 343 ₁, 343 ₂ and 343 ₃, respectively, fromwhich they are input to a second key-dependent linear transformationpart 344.

The second key-dependent linear transformation part 344 performs lineartransformation (XORing) among the pieces of input data mid₀₀, mid₀₁,mid₀₂ and mid₀₃ from four routes to provide new data of four routes, andfurther performs linear transformation (XORing) among these pieces ofdata of the four routes with four pieces of the key data k_(i1) toprovide output data mid₁₀, mid₁₁, mid₁₂ and mid₁₃ of the four routes.The four pieces of data are input to nonlinear transformation parts 345₀, 345 ₁, 345 ₂ and 345 ₃, wherein they are transformed to data out₀,out₁, out₂ and out₃, respectively. These four pieces of data arecombined into data Y_(i)* in a combining part 346; furthermore, in athird key-dependent linear transformation part 347 the data Y_(i)*undergoes a linear operation with the key data k_(i2) to generate outputdata Y_(i).

The above-mentioned second key-dependent linear transformation part 344is configured to perform an exclusive OR operation of data between dataprocessing routes 30 ₀, 30 ₁, 30 ₂ and 30 ₃ provided corresponding tothe pieces of data mid₀₀, mid₀₁, mid₀₂ and mid₀₃, respectively, throughthe use of an algorithm according to the present invention, therebyproviding increased security without increasing the number of rounds ofthe data transformation device depicted in FIG. 4. The security of hedata transformation device of FIG. 4 against differential cryptanalysisand linear cryptanalysis is dependent on the configuration of thenonlinear function part 304 of each round; in particular, when thenonlinear function part 304 in FIG. 5 has such a basic configuration asshown in FIG. 6, the security depends on a first nonlineartransformation part 343 composed of n nonlinear transformation parts(S-boxes) with m-bit input data, a linear transformation part 344A forlinearly transforming the n outputs and a second nonlineartransformation part 345 composed of n nonlinear transformation parts(S-boxes) for nonlinearly transforming the n m-bit outputs,respectively. It is particularly important how an optimal lineartransformation part 344A is constructed which is secure againstdifferential and linear cryptanalysis. According to the presentinvention, the linear transformation part 344A is represented as an n×nmatrix P over {0, 1}, and the optimal linear transformation part 344A isconstructed by determining elements of the matrix P in such a manner asto minimize the maximum differential and linear characteristicprobabilities p, q. In this instance, a linear transformation part usingthe subkey k_(i1), which is contained in the second key-dependent lineartransformation part 344, is added as a key-dependent transformation part344B to the linear transformation part 344A determined by the matrix Pas depicted in FIG. 7.

Incidentally, what is intended to mean by the word “optimal” is toprovide the highest resistance to differential and linear cryptanalysisin the linear transformation part 344A of the above configuration, butit does not necessarily mean the optimum for other criteria, forexample, an avalanche property. Empirically speaking, however, attacksother than differential and linear cryptanalysis can easily be avoidedby only increasing the number of rounds, while it is not certain whetheronly some increase in the number of rounds serves to preventdifferential and linear cryptanalysis unless a careful study is made ofthe round function used. In view of this, the present invention attachesthe most importance to the resistance of the round function todifferential and linear cryptanalysis and constructs the optimal lineartransformation part 344A accordingly.

According to the present invention, the linear transformation part 344Ain FIG. 6 is represented as the n×n matrix P over {0. 1} as referred toabove. This means that the matrix P performs a linear transformation inunits of m bits, and that the linear transformation part 344A can beformed by only exclusive ORs. That is, this transformation can beexpressed by the following equation: $\begin{matrix}{z_{i}^{\prime} = {\underset{j = 0}{\overset{n - 1}{\oplus}}\quad {t_{ij}\quad {z_{j}.}}}} & (1)\end{matrix}$

In particular, when m=8, the linear transformation is made in units ofbytes, and can be efficiently implemented on any platforms where theword width is 8-bit or more.

As a concrete example in the case of n=4, a 4×4 matrix P_(E) will bedescribed which is expressed by the following equation: $\begin{matrix}{\begin{bmatrix}z_{0}^{\prime} \\z_{1}^{\prime} \\z_{2}^{\prime} \\z_{3}^{\prime}\end{bmatrix} = {{\begin{bmatrix}0 & 1 & 1 & 1 \\1 & 0 & 1 & 1 \\1 & 1 & 1 & 0 \\1 & 1 & 1 & 1\end{bmatrix}\begin{bmatrix}z_{0} \\z_{1} \\z_{2} \\z_{3}\end{bmatrix}}.}} & (2)\end{matrix}$

The round function using the matrix P_(E) has the following features.Let it be assumed, however, that the S-box is bijective. z′₀, z′₁, z′₂and z′₃ defined by the above matrix represent the following operations,respectively.

z′ ₀=0·z ₀⊕1·z ₁⊕1·z ₂⊕1·z ₃ =z ₁ ⊕z ₂ ⊕z ₃  (3-1)

z′ ₁=1·z ₀⊕0·z ₁⊕1·z ₂⊕1·z ₃ =z ₀ ⊕z ₂ ⊕z ₃  (3-2)

 z′ ₂=1·z ₀⊕1·z ₁⊕1·z ₂⊕0·z ₃ =z ₀ ⊕z ₁ ⊕z ₂  (3-3)

z′ ₃=1·z ₀⊕1·z ₁⊕1·z ₂⊕1·z ₃ =z ₀ ⊕z ₁ ⊕z ₂ ⊕z ₃  (3-4)

The resistance of the round function to differential and linearcryptanalysis can be determined by the smallest numbers n_(d), n₁ ofactive s-boxes, and these values are those determined at the time ofdetermining the matrix P (see Appendix). In differential cryptanalysisan s-box whose input difference value Δx is nonzero is called an actives-box, and in linear cryptanalysis an s-box whose output mask value Γyis nonzero is called an active box.

In general, when given a certain matrix P, there exist a plurality ofconstructions of the linear transformation part 344A correspondingthereto. This is because the matrix P represents only the relationshipbetween input and output data of the linear transformation part 344A anddoes not define its concrete construction. That is, if it is common inthe matrix P which represents the relationship between their input andoutput data, linear transformation parts can be considered to have thesame characteristic regardless of their individual constructions.Accordingly, in the following description, the matrix P is determinedfirst which provides high invulnerability against differential andlinear cryptanalysis and good avalanche effect, followed by determiningthe construction of the linear transformation part 344A. This method ismore effective in finding out a linear transformation part 344A of anoptimal characteristic than a method of checking individualconstructions of linear transformation parts to see if they have theoptical characteristic.

The elements of the n×n matrix P are determined by the following searchalgorithm taking the differential characteristic into account.

Step 1: Set a security threshold T (where T is an integer such that2≦T≦n).

Step 2: Prepare a set C of column vectors whose Hamming weights areequal to or larger than T−1. More specifically, prepare n or moren-dimensional column vectors which have T−1 or more elements “1.”

Step 3: Select a subset P_(c) of n column vectors from the set C. Repeatthe following steps until all subsets have been checked.

Step 3-1: Compute n_(d) for the subset P_(c) of n column vectors. Thisis represented as n_(d)(P_(c)).

Step 3-2: If n_(d)(P_(c))≧T, then accept a matrix P_(c) consisting ofthe n column vectors as a candidate matrix.

Step 4: Output matrices P and a value n_(d)(P) that yields the maximumvalue of n_(d) among all candidate matrices.

If the candidate matrix by the above search algorithm is adopted, thenit is guaranteed that the value n_(d) is equal to or larger than T. Thematrix P that maximizes n_(d) can efficiently be found by incrementing Tby one in the order T=n, n−1, . . . , 3, 2 upon each execution of theabove search algorithm.

In the above search algorithm, if it is possible to obtain relativelysatisfactory invulnerability against differential and linearcryptanalysis, then a matrix with n_(d)(P_(c))≧T obtained by performingsteps up to 3-2 may be used as the desired matrix P. Alternatively, thematrix Pc composed of n vectors whose Hamming weights are equal to orlarger than T−1 selected in step 2 after step 1 may be used as thematrix P.

The input mask values of the linear transformation part 344A can berepresented by exclusive ORs of its output mask values, and hence theycan be expressed by a certain matrix as is the case with differentialcharacteristic. As the result of our checking the relationship betweenthe matrix for differential characteristic and the matrix for linearexpression in several linear transformation parts of differentconstructions, the following theorem were made.

Theorem 1: Assume that an n×n matrix P over {0, 1} is given for thelinear transformation part 344A. At this time, the relationship betweeninput and output difference values Δz and Δz′ of the lineartransformation part 344A (a difference path) is given by the matrix P,and the relationship between input and output mask values Γz and Γz′ (amask value path) is given by a transposed matrix ^(T)P. That is,

Δz′=PΔz  (4)

Γz= ^(T) PΓz′.  (5)

(See Appendix) The minimum number n_(d) of active s-boxes in thedifference value path using the matrix P is equal to the minimum numbern₁ of active s-boxes in the mask value path using the transposed matrix^(T)P.

Because of (See Appendix) n₁ is also equal to or larger than T when thecandidate matrices by the search algorithm are adopted. For example, inthe case of the afore-mentioned matrix P_(E), the matrix P_(E) for thedifference value path and the matrix ^(T)P_(E) for the mask value pathbear the following relationship. $\begin{matrix}{P_{E} = {\left. \begin{bmatrix}0 & 1 & 1 & 1 \\1 & 0 & 1 & 1 \\1 & 1 & 1 & 0 \\1 & 1 & 1 & 1\end{bmatrix}\Leftrightarrow{{}_{}^{}{}_{}^{}} \right. = \begin{bmatrix}0 & 1 & 1 & 1 \\1 & 0 & 1 & 1 \\1 & 1 & 1 & 1 \\1 & 1 & 0 & 1\end{bmatrix}}} & (6)\end{matrix}$

It can be proven that n_(d)=3 and n₁=3 for the two matrices (seeAppendix).

The following is an algorithm for determining the construction of thelinear transformation part 344A when given the matrix P. Here, thefollowing conditions are to be met.

(1) Minimization of the number of exclusive ORs (XORs), or

(2) Repeated appearance of the similar subconstruction.

Step 1: In the matrix P, choose two rows and XOR the one row (rwo a)with the other row (row b) (hereinafter referred to as a primitiveoperation).

Step 2: Transform the matrix P into a unit matrix I by repeating theprimitive operation, count the number of times the primitive operationwas performed, and find a matrix transformation procedure that yieldsthe minimum number of primitive operations.

Step 3: To construct the linear transformation part 344A, lines A and B,which correspond to the rows a and b chosen in step 2, are XORed in theorder reverse to the transformation procedure.

In FIG. 7 there is depicted a concrete example of the secondkey-dependent linear transformation part 344 which has the lineartransformation part 344A determined as described above. In the lineartransformation part 344A, the four pieces of data mid₀₀, mid₀₁, mid₀₂and mid₀₃ are input to the processing routes 30 ₀ to 30 ₃, respectively.In the processing route 30 ₀, mid₀₀ and mid₀₁ are XORed by an XORcircuit 31 ₀; in the processing route 30 ₂, mid₀₂ and the output fromthe XOR circuit 31 ₀ are XORed by an XOR circuit 31 ₂; and the outputfrom the XOR circuit 31 ₂ is XORed with mid₀₁ by an XOR circuit 31 ₁.

In the processing route 30 ₃, the output from the XOR circuit 31 ₀ andthe data mid₀₃ are XORed by an XOR circuit 31 ₃; in the processing route30 ₁, the outputs from the XOR circuits 31 ₁ and 31 ₃ are XORed by anXOR circuit 32 ₁; and in the processing route 30 ₀, the outputs from theXOR circuit 32 ₁ and 31 ₀ are XORed by an XOR circuit 32 ₀.

The outputs from the XOR circuits 32 ₀, 32 ₁, 31 ₂ and 31 ₃ and subkeydata k_(i10), k_(i11), k_(i12) and k_(i13) are XORed by XOR circuits 35₀ to 35 ₃ of the key-dependent transformation part 344B, respectively,from which are provided mid₁₀, mid₁₁, mid₁₂ and mid₁₃. In other words,the pieces of data mid₀₀, mid₀₁, mid₀₂ and mid₀₃ are associated with oneanother and then undergo linear transformation dependent on the 8-bitsubkey data k_(i10), k_(i11), k_(i12) and k_(i13), respectively. Inshort, logical operations given by the following logical expression areperformed.

mid ₁₀ =mid ₀₀ ⊕mid ₀₂ ⊕mid ₀₃ ⊕k _(i10)  (7-1)

mid ₁₁ =mid ₀₁ ⊕mid ₀₂ ⊕mid ₀₃ ⊕k _(i11)  (7-2)

mid ₁₂ =mid ₀₀ ⊕mid ₀₁ ⊕mid ₀₂ ⊕k _(i12)  (7-3)

mid ₁₃ =mid ₀₀ ⊕mid ₀₁ ⊕mid ₀₃ ⊕k _(i13)  (7-4)

Incidentally, the subkey k_(i1) is composed of four pieces of datak_(i10), k_(i11), k_(i12) and k_(i13).

As depicted in FIG. 5, these pieces of data mid₁₀, mid₁₁, mid₁₂ andmid₁₃ are then nonlinearly transformed in the nonlinear transformationparts 345 ₀, 345 ₁, 345 ₂ and 345 ₃ into the data out₀, out₁, out₂ andout₃, respectively, which are combined into the single piece of dataY_(i)* in the combining part 346. Finally, the data Y_(i)* is linearlytransformed into the data Y_(i) by, for example, a k_(i2)-bit leftrotation in the third key-dependent linear transformation part 347 usingthe key data k_(i2), thereby generating the output data Y_(i) from thenonlinear function part 304. The nonlinear transformation parts 343 ₀ to343 ₃ and 345 ₀ to 345 ₃ function just like S-boxes for DES cipher, andthey are constructed by, for example, ROM, which receives input data asan address to read out therefrom the corresponding data.

Since the four nonlinear transformation parts 343 ₀ to 343 ₃ arearranged in parallel and their transformation processes are notassociated with one another, hence they can be executed in parallel. Thesame goes for the nonlinear transformation parts 345 ₀ to 345 ₃. Thus,the each linear transformation part can be executed in one step for eachgroup (a total of two steps in the nonlinear function part 304). Lettingp represent the differential/liner probability of the nonlineartransformation parts 343 ₀ to 343 ₃ and 345 ₀ to 345 ₃, the nonlinearfunction part 304 provides a differential/linear probability p⁴ as awhole when the second key-dependent linear transformation 344 has such aconstruction as shown in FIG. 7. Accordingly, when the number of roundsof the entire data transformation device is 3r, an approximaterepresentation is obtained with a probability P≦p^(8r); for example,when r=4 (12 rounds), P≦p³². In the case of DES cipher, this correspondsto 48 or more rounds, ensuring sufficiently secure against differentialcryptanalysis and linear cryptanalysis.

Incidentally, the pieces of key data fk, k₀₀, k₀₁, k₀₂, k₁₀, k₁₂, . . ., k_((N−1)1), k_((N−1)2), ek are data stored in the key storage part 322in FIG. 4 after being transformed in the expanded key generation part321 from the master key Key input via the key input part 320 of the keyscheduling part 20. The generation of key data in the expanded keygeneration part 321 may be the same as in the expanded key generationpart 21 for DES cipher in FIG. 1, or as in the expanded key generationpart 21 by Miyaguchi et al. depicted in FIG. 3.

The initial key-dependent transformation 302 and the final key-dependenttransformation part 308 shown in FIG. 4 and the key-dependent lineartransformation parts 341, 344 and 347 in each nonlinear function part304 shown in FIG. 5 are linear transformation parts which depend onkeys; therefore, the device of this embodiment is a cryptographic devicewhich is sufficiently secure against both of differential cryptanalysisand linear cryptanalysis and hence attaches primary importance tosecurity.

The present invention is not limited specifically to this example; forexample, if speedup is demanded, it is feasible to omit or modify anyone of the initial key-dependent transformation part 302, the finalkey-dependent transformation part 308 and the key-dependent lineartransformation parts 341, 344 and 347 to a key-independenttransformation part. In this case, the encryption speed can be increasedwithout significantly diminishing the security against differentialcryptanalysis and the linear cryptanalysis.

Second Embodiment

A description will be given of another embodiment of the nonlinearfunction part 304 of FIG. 5 in a data transformation device of the sameconstruction as that of the first embodiment depicted in FIG. 4. In thisembodiment the nonlinear transformation parts 343 ₀, 343 ₁, 343 ₂ and343 ₃ in FIG. 5 are replaced with nonlinear transformation parts 343 ₀′to 343 ₃′ which nonlinearly transform, for example, 8-bit inputs in₀ toin₃ into 32-bit expanded data MID₀₀, MID₀₁, MID₀₂ and MID₀₃ asequivalently shown in FIGS. 8A to 8D, respectively; furthermore, thekey-dependent linear transformation part 344 has such a construction asdepicted in FIG. 9.

As is the case with the FIG. 5, the data R_(i) is input to the nonlinearfunction part 304 together with the key data k_(i0), k_(i1) and k_(i2).The data R_(i) is linearly transformed into data R_(i)*=R_(i)⊕k_(i0),for example, by being XORed with the key data k_(i0) in the firstkey-dependent linear transformation part 341. Next, the data R_(i)* issplit into four pieces of data in₀, in₁, in₂ and in₃ in the splittingpart 342. The four pieces of data in₀, in₁, in₂ and in₃ are nonlinearlytransformed into data MID₀₀, MID₀₁, MID₀₂ and MID₀₃ in the nonlineartransformation parts 343 ₀′, 343 ₁′, 343 ₂′ and 343 ₃′ depicted in FIGS.8A to 8D, respectively. In the first embodiment the nonlineartransformation part 343 ₀ outputs the m-bit data mid₀₀ for the m-bitinput in₀, whereas in this embodiment the nonlinear transformation part343 ₀′ has an S-box that outputs the same m-bit data mid₀₀ as high-orderm bits as does the nonlinear transformation part 343 ₀ in the firstembodiment of FIG. 5 and outputs fixed data “00 . . . 0₍₂₎” as low-orderm bits; further, the nonlinear transformation part is designed to outputthe high-order m-bit data mid₀₀ to three routes by duplicating andoutput the m-bit data “00 . . . 0₍₂₎.” That is, the nonlineartransformation part 343 ₀′ is means for transforming the m-bit data in₀to 4m-bit data

MID ₀₀ =[mid ₀₀, 00 . . . 0₍₂₎ , mid ₀₀ , mid _(00])  (8-1)

Similarly, the nonlinear transformation parts 343 ₁′, 343 ₂′ and 343 ₃′are means for transforming the input data in1, in2 and in3 to

MID ₀₁=[00 . . . 0₍₂₎ , mid ₀₁ , mid ₀₁ , mid _(01])  (8-2)

MID ₀₂ =[mid ₀₂ , mid ₀₂ , mid ₀₂, 00 . . . 0_((2)])  (8-3)

MID ₀₃ =[mid ₀₃ , mid ₀₃, 00 . . . 0₍₂₎, mid_(03])  (8-4)

The data MID₀₀ expressed by Equation (8-1) can be determined bypresetting as MID₀₀ the entire data which is provided in the four outputroutes of the linear transformation part 344A when the pieces of datamid₀₁, mid₀₂ and mid₀₃ except mid₀₀ are each set as “00 . . . 0₍₂₎.”Similarly, the data MID₀₁, MID₀₂ and MID₀₃ expressed by Equations (8-2),(8-3) and (8-4) can also be easily determined. These nonlineartransformation parts 343 ₀′ to 343 ₃′ may be constructed in memory astransformation tables from which to read out the data MID₀₀, MID₀₁,MID₀₂ and MID₀₃ by using the data in₀, in₁, in₂and in₃as addresses.

Then, these pieces of data MID₀₀ to MID₀₃ are input to the secondkey-dependent linear transformation part 344 with the key data k_(i1) asdepicted in FIG. 9. MID₀₀ and MID₀₁ are XORed by an XOR circuit 41;MID₀₂ and MID₀₃ are XORed by an XOR circuit 42; the outputs from the XORcircuits 41 and 42 are XORed by an XOR circuit 43; and the output fromthe XOR circuit 43 and the key data k_(i1) are XORed by an XOR circuit44. The output MID1 from the XOR circuit 44 is split into m-bit outputsmid₁₀, mid₁₁, mid₁₂ and mid₁₃. After all, the second key-dependentlinear transformation part 344 linearly transforms the input data by thefollowing operation:

MID ₁ =MID ₀₀ ⊕MID ₀₁ ⊕MID ₀₂ ⊕MID ₀₃ ⊕k _(i1).  (9)

The components of the output MID₁=[mid₁₀, mid₁₁, mid₁₂, mid₁₃] by thislinear transformation operation are expressed by the followingequations, respectively:

mid ₁₀ =mid ₀₀ ⊕mid ₀₂ ⊕mid ₀₃ ⊕k _(i10)  (10-1)

mid ₁₁ =mid ₀₁ ⊕mid ₀₂ ⊕mid ₀₃ ⊕k _(i11)  (10-2)

mid ₁₂ =mid ₀₀ ⊕mid ₀₁ ⊕mid ₀₂ ⊕k _(i12)  (10-3)

mid ₁₃ =mid ₀₀ ⊕mid ₀₁ ⊕mid ₀₃ ⊕k _(i13)  (10-4)

These linear transformation operations are equivalent to those in FIG. 7given by Equations (7-1) to (7-4). In this way, the same pieces of datamid₁₀, mid₁₁, mid₁₂ and mid₁₃ as those in the first embodiment aregenerated. Incidentally, k_(i1) is composed of four pieces of datak_(i10), k_(i1), k_(i12) and k_(i13)

Then, the four pieces of data mid₁₀, mid₁₁, mid₁₂ and mid₁₃ arenonlinearly transformed into data out₀, out₁, out₂ and out₃ in thenonlinear transformation parts 345 ₀, 345 ₁, 345 ₂ and 345 ₃,respectively, as in the FIG. 5, and in the combining part 346 the fourpieces of data out₀, out₁, out₂ and out₃ are combined into the singlepiece of data Y_(i)*. Finally, the data Y_(i)* is linearly transformedinto the data Y_(i) by, for example, a k_(i2)-bit left rotation in thethird key-dependent linear transformation part 347 using the key datak_(i2), thereby generating the output data Y_(i) from the nonlinearfunction part 304.

In the second embodiment depicted in FIGS. 8A to 8D and 9, it is alsopossible to form, as is the case with the first embodiment, thenonlinear transformation parts 343 ₀ to 343 ₃ of FIGS. 8A to 8D by onlyS-boxes which output 8-bit data mid₀₀ to mid₀₃, respectively, and toprovide the wirings shown in FIGS. 8A to 8D and a register which outputs8-bit data “00 . . . 0” in the key-dependent linear transformation part344 to generate therein the data MID₀₀ to MID₀₃.

The second key-dependent linear transformation part 344 in thisembodiment implements linear transformation equivalent to that shown inFIG. 7 through the use of four XOR circuits as depicted in FIG. 9 (inFIG. 7 ten XORs), and hence permits faster transformation than in thefirst embodiment.

Furthermore, as is the case with the first embodiment, the fournonlinear transformation parts 343 ₀ to 343 ₃ and 345 ₀ to 345 ₃ arearranged in parallel and their nonlinear transformation processes arenot associated with one another, and hence they can be executed inparallel. Besides, letting p represent the differential/linerprobability of the nonlinear transformation parts 343 ₀ to 343 ₃ and 345₀ to 345 ₃, the differential/linear probability of the nonlinearfunction 304 becomes p⁴ as a whole.

Third Embodiment

A description will be given of another embodiment of the nonlinearfunction part 304 of still another functional configuration in the datatransformation device that has the functional configuation depicted inFIG. 4 as in the first embodiment.

As depicted in FIG. 5, for example, a 32-bit data R_(i) is input to thenonlinear function part 304 together with the key data k_(i0), k_(i1)and k_(i2) stored in the key storage part 322. The data R_(i) islinearly transformed into data R_(i)*=R_(i)⊕k_(i0) by, for example,XORing with the key data k_(i0) in the first key-dependent lineartransformation part 341. Then the data R_(i)* is split into four piecesof, for example, 8-bit data in₀, in₁, in₂ and in₃ in the splitting part342.

In the nonlinear transformation part 343 ₀, as shown in FIG. 10, forinstance, the data in₀ is further split into two, for example, 4-bitsubblocks in₀₀ and in₀₁; the subblock in₀₀ is transformed to data mid₀₀₀in a sub-nonlinear transformation part 51 and, at the same time, it isXORed with the data in₀₁ by an XOR circuit 52, whose output in₀₀⊕in₀₁ istransformed into data mid₀₀₁ in a sub-nonlinear transformation part 53.Thereafter, these outputs mid₀₀₀ and mid₀₀₁ are XORed by an XOR circuit54, and its output and the data mid₀₀₁ are combined into the data mid₀₀.That is, the nonlinear transformation part 343 ₀ splits the input in₀into two subblocks, then performs linear transformation and nonlineartransformation of the two subblocks, and combines the two resultingoutput subblocks into the output from the nonlinear transformation part.Similarly, the other remaining pieces of data in₁, in₂ and in₃ are alsotransformed into the data mid₀₁, mid₀₂ and mid₀₃ in the nonlineartransformation parts 343 ₁, 343 ₂ and 343 ₃ each having the functionalconfiguration shown in FIG. 10 which comprises two nonlineartransformation parts and two XOR circuits.

These pieces of transformed data mid₀₀, mid₀₁, mid₀₂ and mid₀₃ input tothe second key-dependent linear transformation part 344 depicted in FIG.7 which uses the key data k_(i1). The transformation part 344 performsthe aforementioned operations of Equations (7-1) to (7-4).

Then, the data mid₁₀ is input to.the nonlinear transformation part 345 ₀of the same functional consfiguration as shown in FIG. 10, wherein it isfurther split into two subblocks mid₁₀₀ and mid₁₀₁. The subblock mid₁₀₀is transformed into data out₀₀ in the sub-nonlinear transformation part51. The subblocks mid₁₀₀ and mid₁₀₁ are XORed by the XOR circuit 52, andits output mid₁₀₀⊕mid₁₀₁ is transformed into data out₀₁ in the nonlineartransformation part 53. Then, the two pieces of data out₀₀ and out₀₁ areXORed by the XOR circuit 54, and its output out₀₀⊕out₀₁ and the dataout₀₁ are combined into out₀. Similarly, the other remaining pieces ofdata mid₁₁, mid₁₂ and mid₁₃ are also transformed into the data out₁,out₂ and out₃ in the nonlinear transformation parts 345 ₁, 345 ₂ and 345₃ each having the functional configuration shown in FIG. 10 whichcomprises the two sub-nonlinear transformation parts 51, 53 and the twoXOR circuits 52, 54.

The four pieces of thus nonlinearly transformed data out₀, out₁, out₂and out₃ are combined into a single piece of data Y_(i)* in thecombining part 346. Finally, the data Y_(i)* is linearly transformedinto data Y_(i), for example, by a k_(i2)-bit left rotation in the thirdkey-dependent linear transformation part 347 using the key data k_(i2),by which the output data Y_(i) from the nonlinear function part 304 isgenerated.

As described above, according to this embodiment, in each of thenonlinear transformation parts 343 ₀ to 343 ₃ and 345 ₀ to 345 ₃ theinput data is split to two pieces of data, which are nonlinearlytransformed in the two sub-nonlinear transformation parts (51 and 53 inFIG. 10). Hence, it is possible to input to the nonlinear transformationparts 343 ₀ to 343 ₃ and 345 ₀ to 345 ₃ data of a bit length twicelarger than that of data that the 16 sub-nonlinear transformation partscan handle. For example, assuming that the sub-nonlinear transformationparts 51 and 53 are 8-bit S-boxes, each input data to the nonlineartransformation parts 343 ₀ to 343 ₃ and 345 ₀ to 345 ₃ is 16 bits lengthand the input data to the nonlinear function part 304 is 64 bits length.As a result, the block length in the data transformation device of FIG.4 can be made 128 bits length.

The sub-nonlinear transformation parts 51 and 53 are arranged inparallel in groups of eight and their nonlinear transformation processesare not associated with one another, and hence they can be executed inparallel. Further, letting p represent the differential/linearprobabilities of the sub-nonlinear transformation parts 51 and 53, thenonlinear function part 304 provides a differential/linear probabilityp⁴ as a whole.

In the above, the first key-dependent linear transformation part 341,the second key-dependent transformation part 344 and the thirdkey-dependent transformation part 347 need not always be key-dependent,i.e., the linear transformation may be performed in subdata.

While in the above the data processing has been described to beperformed using a hardware structure, it may also be implemented bysoftware that follows a program. For example, FIG. 11 is a flowchartshowing the principal part of the procedure for data processing. FIG. 11shows the procedure corresponding to the entire procedure of FIG. 4.

Step S1: Initialize to 0 a variable i representing the repeat count ofprocessing.

Step S2: Perform initial transformation of an input plaintext and splitit into left and right block data L_(i) and R_(i).

Step S3: Process the right block data R_(i) by a nonlinear functionusing the subkey k_(i) to generate the block data Y_(i).

Step S4: Perform linear processing of the left block data R_(i) by theblock data Y_(i) to generate the block data L_(i)*.

Step S5: Change the right block data R_(i) to new left block data L_(i)and the block data L_(i)* to new right block data R_(i).

Sep S6: Increment the variable i by one.

Step S7: Check to see if i has reached N, and if not, return to step S3and repeat steps S3 to S7.

Step S8: If it is decided in step S7 that the variable i has reached N,combine the left and right data L_(i) and R_(i) and output the result offinal transformation as output data C.

Details of the process by step S3 in FIG. 11 correspond to the processby the nonlinear function part 304 shown in FIG. 5, and the procedure isdepicted in FIG. 12.

Step S31: Perform first key-dependent linear transformation of the rightdata R_(i) into the data R_(i)*.

Step S32: Split the data R_(i)* into n m-bit data in₀, in₁, . . .in_(n−1) (where m=8 and n=4, for instance).

Step S33: Read out data mid₀₀, mid₀₁, . . . , mid_(0(n−1)) from n firstS-boxes using the data in₀, in₁, . . . , in_(n−1) as addresses.

Step S34: Perform key-dependent linear transformation of the data mid₀₀to mid_(0(n−1)) by the subkey k_(i1) to generate data mid₁₀ tomid_(1(n−1)).

Step S35: Read out data out₀ to out_(n−1) from n second S-boxes usingthe data mid₁₀ to mid_(1(n−1)) as addresses.

Step S36: Combine the data out₀ to out_(n−1) into data Y*_(i).

Step S37: Perform third key-dependent linear transformation of the dataY*_(i) to generate data Y_(i) and output it.

The operations in step S34 may be the operations by Equations (7-1) to(7-4) or Equation (9) using the definitions by Equations (8-1) to (8-4).While FIG. 11 depicts the procedure that repeats steps S3 to S7 by thenumber of rounds involved, the individual processes by the roundprocessing parts 38 ₀ to 38 _(N−1) shown in FIG. 4 may also beprogrammed intact to implement the data diffusion part according to thepresent invention.

Fourth Embodiment

The first embodiment depicted in FIG. 4 is an embodiment in which thebasic linear transformation part 344A of FIG. 6, which constitutes thesecond key-dependent linear transformation part 344 of the nonlinearfunction part 304 (FIG. 5), is represented by a 4×4 matrix (that is,four inputs-four outputs). The fourth embodiment will be described belowin connection with the case where the linear transformation part 344A isrepresented by an 8×8 matrix.

FIG. 13 illustrates the fimction configuration of the encryptionprocedure in the data transformation device according to the fourthembodiment of the present invention. This configuration itself isidentical with that of the first embodiment but differs from the latterin the data length and the split number n of data to be split in thenonlinear function part 304.

The input data M is transformed in the initial key-dependenttransformation part 302 using the key data fk stored in the key storagepart 322 and is split to left and right block data L₀ and R₀ in theinitial splitting part 303. For example, 128-bit data is split into twopieces of 64-bit block data L₀ and R₀. The key-dependent initialtransformation part 302 performs a linear transformation such asexclusive ORing of the key data fk and the input data M or bit rotationof the input data M by the key data fk, or nonlinear transformation by acombination of multiplications.

The right block data R₀ is provided to the nonlinear function part 304together with the key data k₀₀, k₀₁ and k₀₂ stored in the key storagepart 322, and in the nonlinear function part 304 it is nonlinearlytransformed to data Y₀. The data Y₀ and the data L₀ are transformed by alinear operation to data L₀* in the linear operation part 305. The dataL₀* and the data R₀ undergo data-position swapping in the swapping part306 to provide L₁←R₀ and R₁←L₀*, and the pieces of data L₁ and R₁ arefed to the next first round processing part 38 ₁.

Thereafter, in an i-th round processing parts 38 _(i) (where i=0, 1, . .. , N−1) the same processing as mentioned above is repeated for twopieces of input block data L_(i) and R_(i). That is, the right blockdata R_(i) is input to the nonlinear function part 304 together with thekey data k_(i0), k_(i1) and k_(i2), and in the nonlinear function part304 it is nonlinearly transformed to block data Y_(i). The block dataY_(i) and the block data L_(i) are transformed to data L_(i)* by alinear operation in the linear operation part 305. The data L_(i)* andthe data R_(i) are swapped in data position in the swapping part 306,that is, L_(i+1)←R_(i), R_(i+1)←L_(i)*. The linear operation part 305 isto perform, for instance, an exclusive OR operation.

Letting N represent the number of rounds suitable to provide security ofa data transformation device, two pieces of left and right data L_(N)and R_(N) are obtained as the result of such repeated processing. Thesepieces of data L_(N) and R_(N) are combined into a single piece of blockdata in the final combining part 307; for example, the two pieces of64-bit data L_(N) and R_(N) are combined to 128-bit data. Then the thuscombined data is transformed in a final linear transformation part 308using the key data ek stored in the key storage part 322, and outputdata C is provided as a ciphertext from the output part 309.

In decryption, the plaintext M can be derived from the ciphertext C byreversing the encryption procedure. In particular, when thekey-dependent final transformation part 308 is one that performstransformation inverse to that of the key-dependent initialtransformation part 302, the decryption can be done by inputtingciphertext data in place of the input data in FIG. 13 and then inputtingthe key data in a sequential order reverse to that in FIG. 13, that is,ek, k_((N−1)0), k_((N−1)1), k_((N−1)2), . . . , k₁₀, k₁₁, k₁₂, k₀₀, k₀₁,k₀₂, fk.

Next, a detailed description will be given of the internal configurationof the nonlinear function part 304. FIG. 14 is a diagrammatic showing ofthe internal functional configuration of the nonlinear function part304.

The right block data R_(i) is input to the nonlinear function part 304together with the key data k_(i0), k_(i1) and k_(i2) stored in the keystorage part 322.

In the first key-dependent linear transformation part 341 the rightblock data R_(i) is transformed to data R_(i)*=R_(i)⊕k_(i0), forexample, by XORing with the subkey data k_(i0). The thus transformeddata R_(i)* is split to n=8 pieces of data in₀, in₁, in₂, . . . , in₇ inthe splitting part 342. The eight pieces of data in₀ to in₇ arenonlinearly transformed to data mid₀₀ to mid₀₇ in nonlineartransformation parts 343 ₀ to 343 ₇, thereafter being input to thesecond key-dependent linear transformation part 344 using the key datak_(i1).

The second key-dependent linear transformation part 344 performs lineartransformation (XORing) among the pieces of data mid₀₀, mid₀₁, mid₀₂, .. . , mid₀₇ input from eight routes to provide new data of eight routes,and further performs linear transformation (XORing) among these piecesof data of the eight routes with eight parts of the key data k_(i1) toprovide output data mid₁₀, mid₁₁, mid₁₂, . . . , mid₁₇ of the eightroutes. The eight pieces of data are input to nonlinear transformationparts 345 ₀, 345 ₁, 345 ₂, . . . , 345 ₇, wherein they are transformedto data out₀, out₁, out₂, . . . , out₇, respectively. These eight piecesof data are combined into data Y_(i)* in a combining part 346;furthermore, in the third key-dependent linear transformation part 347the data Y_(i)* undergoes linear transformation with the key data k_(i2)to generate output data Y_(i).

The second key-dependent linear transformation part 344 contains thelinear transformation part 344A expressed by an n×n matrix as describedpreviously with respect to FIG. 6; in this embodiment n=8. In thisinstance, assume that the linear transformation part is bijective. Thatis, rank(P)=8. A description will be given of the determination of an8×8 matrix P that yield a maximum value of n_(d) as described in theembodiment 1. In this instance, the security threshold T is reduced oneby one in the order T=8, 7. . . . , and the following algorithm isexecuted for each value.

Step 1: Set the security threshold T (where T is an integer such that2≦T≦n).

Step 2: Prepare a set of column vectors C whose Hamming weights areequal to or larger than T−1.

Step 3: Select a subset P_(c) of eight column vectors from the set C. Ifrank(P_(c))≠8, then the subset P_(c) is not accepted as a candidate.

Step 3-1: Compute n_(d) for P_(c) as follows.

For any two columns (columns a, b):$n_{d0} = {2 + {\min\limits_{({a,b})}}^{\# {\{{{{({t_{ia},t_{ib}})}{{t_{ia} \oplus t_{ib}} \neq 0}},{0 \leq i \leq 8}}\}}}}$

For any three columns (columns a, b, c):$n_{d1} = {3 + {\min\limits_{({a,b,c})}}^{\# {\{{{{({t_{ia},t_{ib},t_{ic}})}{{t_{ia} \oplus t_{ib} \oplus t_{ic}} \neq 0}},{0 \leq i \leq 8}}\}}}}$

$n_{d2} = {3 + {\min\limits_{({a,b,c})}}^{\# {\{{{({t_{ia},t_{ib},t_{ic}})}}}}}$

 Exception of (0,0,0),(1,1,1), 0≦i≦8}

For any four columns (columns a, b, c, d):$n_{d3} = {4 + {\min\limits_{({a,b,c,d})}}^{\# {\{{{{({t_{ia},t_{ib},t_{ic},t_{id}})}\begin{matrix}{{({0,0,0,1})},{({0,0,1,0})},{({1,0,0,0})}} \\{{({0,1,1,1})},{({1,0,1,1})},{({1,1,1,0})}}\end{matrix}},{0 \leq i < 8}}\}}}}$

$n_{d4} = {4 + {\min\limits_{({a,b,c,d})}}^{\# {\{{{({t_{ia},t_{ib},t_{ic},t_{id}})}}}}}$

 Exception of (0,0,0,0),(1,1,0,0),(0,1,1,1),(1,0,1,1), 0≦i<8}$n_{d5} = {4 + {\min\limits_{({a,b,c,d})}}^{\# {\{{{({t_{ia},t_{ib},t_{ic},t_{id}})}}}}}$

 Exception of (0,0,0,0),(1,0,1,0),(0,1,1,1),(1,1,0,1), 0≦i<8}$n_{d6} = {4 + {\min\limits_{({a,b,c,d})}}^{\# {\{{{({t_{ia},t_{ib},t_{ic},t_{id}})}}}}}$

 Exception of (0,0,0,0),(1,0,0,1),(0,1,1,1),(1,1,1,0), 0≦i<8}$n_{d7} = {4 + {\min\limits_{({a,b,c,d})}}^{\# {\{{{({t_{ia},t_{ib},t_{ic},t_{id}})}}}}}$

 Exception of (0,0,0,0),(0,1,1,0),(1,0,1,1),(1,1,0,1), 0≦i<8}$n_{d8} = {4 + {\min\limits_{({a,b,c,d})}}^{\# {\{{{({t_{ia},t_{ib},t_{ic},t_{id}})}}}}}$

 Exception of (0,0,0,0),(0,1,0,1),(1,0,1,1),(1,1,1,0), 0≦i<8}$n_{d9} = {4 + {\min\limits_{({a,b,c,d})}}^{\# {\{{{({t_{ia},t_{ib},t_{ic},t_{id}})}}}}}$

 Exception of (0,0,0,0),(0,0,1,1),(1,1,0,1),(1,1,1,0), 0≦i<8}

n_(d)=min{n_(di)|0≦i≦9}

Intuitively, Equations n_(d0) to n_(d9) represent the minimum number ofactive s-boxes in the second nonlinear transformation part 345 (secondterm on the right-hand side) and the total number of active s-boxes (theleft-hand side) at that time, when the number of active s-boxes in thefirst nonlinear transformation part 343 (first term on he right-handside) is determined. For example, when there are two active s-boxes inthe first nonlinear transformation part 343, its difference values canbe represented as Δz_(a) and Δz_(b), respectively. At this time,

[Δz′ _(i) ]=[t _(ia) Δz _(a) ⊕t _(ib) Δz _(b)](0≦i<8)  (11)

In particular, when Δz_(a)=Δz_(b),

[Δz′ _(i)]=[(t _(ia) ⊕t _(ib))Δz _(n)](0≦i<8)  (12)

Accordingly, the minimum number of active s-boxes in this case is givenby n_(d0).

As a result of our search for the matrix P through of the above searchalgorithm, it has been found that there is no matrix with n_(d)≧6=T butthat there are 10080 candidate matrices with n_(d)=5=T. Hence, theinvulnerability of the round function using such a matrix P againstdifferential cryptanalysis is p≦p_(s) ⁵. And the invulnerability againstlinear cryptanalysis is also q≦p_(s) ⁵.

The construction of the linear transformation part is determined amongthe above-mentioned 10080 candidate matrices P. The determination of theconstruction by an exhaustive search involves a computational complexityof approximately (8×7)¹⁶≈2⁹³ when 16 XORs are used—this is impossible toperform. Then, the construction is limited to one that the lineartransformation part 344A is composed of four boxes B1 to B4 with 8inputs and 4 outputs as depicted in FIG. 15A. The boxes are each formedby four XOR circuits. as shown in FIG. 15B and designed so that everyinput line passes through one of the XOR circuit. Accordingly, thelinear transformation part 344A comprises a total of 16 XOR circuits. Inthis instance, the computational complexity is around (4×3×2×1)⁴≈2¹⁸,which is sufficiently small for the exhaustive search.

While in FIG. 15A four transformation boxes are alternately inserted inthe lines of left and right four routes, these lines may be determinedto be arbitrarily selected four lines and the other remaining fourlines. Each transformation box is supplied with inputs from the fourlines in which it is inserted and inputs from the remaining four linesand outputs the results of transformation to the former four lines.

As the result of searching the 10080 matrices obtained by the abovesearch algorithm for matrices which constitute the unit matrix I with 16primitive operations (XORs) while satisfying the construction of FIG.15, it was found that there are 57 constructions. The matrix P of one ofsuch construction is shown below. $\begin{matrix}{P = \begin{bmatrix}0 & 1 & 1 & 1 & 1 & 1 & 1 & 0 \\1 & 0 & 1 & 1 & 0 & 1 & 1 & 1 \\1 & 1 & 0 & 1 & 1 & 0 & 1 & 1 \\1 & 1 & 1 & 0 & 1 & 1 & 0 & 1 \\1 & 1 & 0 & 1 & 1 & 1 & 0 & 0 \\1 & 1 & 1 & 0 & 0 & 1 & 1 & 0 \\0 & 1 & 1 & 1 & 0 & 0 & 1 & 1 \\1 & 0 & 1 & 1 & 1 & 0 & 0 & 1\end{bmatrix}} & (13)\end{matrix}$

In FIG. 16 there is depicted an example of the construction of thelinear transformation part 344A using this matrix, together with thenonlinear transformation parts 343 and 345. As shown, fourtransformation boxes B1 to B4 are alternately inserted in lines of fourleft and right routes from eight S-boxes forming the first lineartransformation part 343, and consequently, two XOR circuits are insertedin each line.

As is the case with the 4×4 matrix in the first embodiment, it can be ascertained as mentioned below whether the matrix for the mask value pathis a transposed matrix of the matrix P in the linear transformation part344A of FIG. 16 and whether n₁=5 correctly holds. By constructing a maskvalue path in the linear transformation part 344A of FIG. 16 usingconcatenation rules defined by Theorem 2 in the Appendix, the matrix^(T)P for the mask value path can be computed as follows:$\begin{matrix}{{\,^{T}P} = \begin{bmatrix}0 & 1 & 1 & 1 & 1 & 1 & 0 & 1 \\1 & 0 & 1 & 1 & 1 & 1 & 1 & 0 \\1 & 1 & 0 & 1 & 0 & 1 & 1 & 1 \\1 & 1 & 1 & 0 & 1 & 0 & 1 & 1 \\1 & 0 & 1 & 1 & 1 & 0 & 0 & 1 \\1 & 1 & 0 & 1 & 1 & 1 & 0 & 0 \\1 & 1 & 1 & 0 & 0 & 1 & 1 & 0 \\0 & 1 & 1 & 1 & 0 & 0 & 1 & 1\end{bmatrix}} & (14)\end{matrix}$

This indicates that the matrix ^(T)P is a transposed matrix of thematrix P. Further, it can be confirmed that the minimum number of actives-boxes is n₁=5.

FIG. 17 illustrates concrete examples of the second key-dependent lineartransformation part 344 which comprises the linear transformation part344A of the construction determined above and a key transformation part344B.

The key transformation part 344B calculates the XORs of the key datak_(i10), k_(i11), k_(i12), . . . , k_(i17) and the outputs from thelinear transformation part by XOR circuits 63 ₀, 63 ₁, 63 ₂, . . . , 63₇, and yield output data mid₁₀, mid₁₁, mid₁₂, . . . , mid₁₇. With such afunctional construction as depicted in FIG. 17, the following operationsare performed.

mid ₁₀ =mid ₀₁ ⊕mid ₀₂ ⊕mid ₀₃ ⊕mid ₀₄ ⊕mid ₀₅ ⊕mid ₀₆ ⊕k _(i10)  (15-1)

mid ₁₁ =mid ₀₀ ⊕mid ₀₂ ⊕mid ₀₃ ⊕mid ₀₅ ⊕mid ₀₆ ⊕mid ₀₇ ⊕k _(i11)  (15-2)

mid ₁₂ =mid ₀₀ ⊕mid ₀₁ ⊕mid ₀₃ ⊕mid ₀₄ ⊕mid ₀₆ ⊕mid ₀₇ ⊕k _(i12)  (15-3)

mid ₁₃ =mid ₀₀ ⊕mid ₀₁ ⊕mid ₀₂ ⊕mid ₀₄ ⊕mid ₀₅ ⊕mid ₀₇ ⊕k _(i13)  (15-4)

mid ₁₄ =mid ₀₀ ⊕mid ₀₁ ⊕mid ₀₃ ⊕mid ₀₄ ⊕mid ₀₅ ⊕k _(i14)  (15-5)

mid ₁₅ =mid ₀₀ ⊕mid ₀₁ ⊕mid ₀₂ ⊕mid ₀₅ ⊕mid ₀₆ ⊕k _(i15)  (15-6)

mid ₁₆ =mid ₀₁ ⊕mid ₀₂ ⊕mid ₀₃ ⊕mid ₀₆ ⊕mid ₀₇ ⊕k _(i16)  (15-7)

mid ₁₇ =mid ₀₀ ⊕mid ₀₂ ⊕mid ₀₃ ⊕mid ₀₄ ⊕mid ₀₇ ⊕k _(i17)  (15-8)

The above operations generate the data mid₁₀, mid₁₁, mid₁₂, . . . ,mid₁₇. Incidentally, the subkey k_(i1) is composed of eight pieces ofdata k_(i10), k_(i11), k_(i12), . . . , k_(i17). In FIG. 17, the piecesof data mid₀₀ to mid₀₇ are input to routes 60 ₀ to 60 ₇, respectively.

The XOR circuits 61 ₄, 61 ₅, 61 ₆, 61 ₇ on the routes 60 ₄, 60 ₅, 60 ₆,60 ₇ calculate the XORs of the data mid₀₄ and mid₀₀, mid₀₅ and mid₀₁,mid₀₆ and mid₀₂, mid₀₇ and mid₀₃, respectively.

The XOR circuits 61 ₀, 61 ₁, 61 ₂, 61 ₃ on the routes 60 ₀, 60 ₁, 60 ₂,60 ₃ calculate the XORs of the data mid₀₀ and the output from the XORcircuit 61 ₆, the data mid₀₁ and the output from the XOR circuit 61 ₇,the data mid₀₂ and the output from the XOR circuit 61 ₄, the data mid₀₃and the output from the XOR circuit 61 ₅, respectively.

The XOR circuits 62 ₄, 62 ₅, 62 ₆, 62 ₇ on the routes 60 ₄, 60 ₅, 60 ₆,60 ₇ calculate the XORs of the outputs from the XOR circuits 61 ₃ and 61₄, the outputs from the XOR circuits 61 ₀ and 61 ₅, the outputs from theXOR circuits 61 ₁ and 61 ₆, the outputs from the XOR circuits 61 ₂ and61 ₇, respectively.

The XOR circuits 62 ₀, 62 ₁, 62 ₂, 62 ₃ on the routes 60 ₀, 60 ₁, 60 ₂,60 ₃ calculate the XORs of the outputs from the XOR circuits 61 ₀ and 62₄, the outputs from the XOR circuits 61 ₁ and 62 ₅, the outputs from theXOR circuits 61 ₂ and 62 ₆, the outputs from the XOR circuits 61 ₃ and62 ₇, respectively.

Furthermore, the XOR circuits 63 ₀ to 63 ₇ on the routes 60 ₀ to 60 ₇XOR the outputs from the XOR circuits 62 ₀ to 62 ₇ and the key datak_(i10) to k_(i17), respectively, providing the outputs mid₁₀ to mid₁₇from the routes 60 ₀ to 60 ₇. That is, the outputs mid₁₀ to mid₁₇ arethe XORs of six pieces of data selected from the input data mid₀₀ tomid₀₇ and the key data, and the outputs mid₁₄ to mid₁₇ are the XORs offive pieces of data selected from the input data mid₀₀ to mid₀₇ and thekey data.

Turning back to FIG. 14, the pieces of data mid₁₀, mid₁₁, mid₁₂, . . . ,mid₁₇ are nonlinearly transformed to pieces of data out₀, out₁, out₂, .. . , out₇ in the nonlinear transformation parts 345 ₀, 345 ₁, 345 ₂, .. . , 345 ₇, and in the combining part 346 the eight pieces of dataout₀, out₁, out₂, . . . , out₇ are combined into a single piece of dataY_(i)*. Finally, the data Y_(i)* is linearly transformed to data Y_(i),for example, by a k_(i2)-bit left rotation in the third key-dependentlinear transformation 347 using the key data k_(i2), thereby generatingthe output data Y_(i) from the nonlinear function part 304.

The nonlinear transformation parts 343 ₀ to 343 ₇ and 345 ₀ to 345 ₇function just like S-boxes for DES cipher, and they are each formed by,for example, ROM, which receives input data as an address to read outtherefrom the corresponding data.

The eight nonlinear transformation parts 343 ₀ to 343 ₇ are arranged inparallel and their transformation processes are not associated with oneanother, and hence they can be executed in parallel. The same goes forthe nonlinear transformation parts 345 ₀ to 345 ₇. Thus, the lineartransformation operations can be executed in one step for each group (atotal of two steps). Letting p represent the differential/linerprobability of the nonlinear transformation parts 343 ₀ to 343 ₇ and 345₀ to 345 ₇, the nonlinear function part 304 provides a differentiallinear probability p⁵ as a whole when the second key-dependent lineartransformation 344 has such a construction as shown in FIG. 17.Accordingly, when the number of rounds of the entire data transformationdevice is 3r, an approximate representation is obtained with aprobability P≦p^(10r); for example, when r=4 (12 rounds), P≦p⁴⁰. In thecase of DES cipher, this corresponds to 60 or more rounds, making itpossible to provide a data transformation device sufficiently secureagainst differential cryptanalysis and linear cryptanalysis.Incidentally, the second key-dependent linear transformation part 344 isnot limited specifically to the linear transformation part depicted inFIG. 17 but may be modified as shown in FIG. 18, for instance.

In this instance, the following operations are conducted.

mid ₁₀ =mid ₀₁ ⊕mid ₀₂ ⊕mid ₀₄ ⊕mid ₀₅ ⊕mid ₀₆ ⊕mid ₀₇ ⊕k _(i10)  (16-1)

mid ₁₁ =mid ₀₁ ⊕mid ₀₂ ⊕mid ₀₃ ⊕mid ₀₄ ⊕mid ₀₆ ⊕k _(i11)  (16-2)

mid ₁₂ =mid ₀₀ ⊕mid ₀₁ ⊕mid ₀₃ ⊕mid ₀₄ ⊕mid ₀₅ ⊕mid ₀₆ ⊕k _(i12)  (16-3)

mid ₁₃ =mid ₀₀ ⊕mid ₀₃ ⊕mid ₀₄ ⊕mid ₀₆ ⊕mid ₀₇ ⊕k _(i13)  (16-4)

mid ₁₄ =mid ₀₀ ⊕mid ₀₂ ⊕mid ₀₃ ⊕mid ₀₅ ⊕mid ₀₆ ⊕mid ₀₇ ⊕k _(i14)  (16-5)

mid ₁₅ =mid ₀₀ ⊕mid ₀₁ ⊕mid ₀₂ ⊕mid ₀₅ ⊕mid ₀₆ ⊕k _(i15)  (16-6)

mid ₁₆ =mid ₀₀ ⊕mid ₀₁ ⊕mid ₀₂ ⊕mid ₀₃ ⊕mid ₀₄ ⊕mid ₀₇ ⊕k _(i16)  (16-7)

mid ₁₇ =mid ₀₀ ⊕mid ₀₂ ⊕mid ₀₄ ⊕mid ₀₅ ⊕mid ₀₇₆ ⊕k _(i17)  (16-8)

Alternatively, the circuit construction of FIG. 19 may be used, in whichcase the following operations are performed.

mid ₁₀ =mid ₀₀ ⊕mid ₀₁ ⊕mid ₀₄ ⊕mid ₀₅ ⊕mid ₀₆ ⊕k _(i10)  (17-1)

mid ₁₁ =mid ₀₁ ⊕mid ₀₃ ⊕mid ₀₄ ⊕mid ₀₅ ⊕mid ₀₇ ⊕k _(i11)  (17-2)

mid ₁₂ =mid ₀₀ ⊕mid ₀₂ ⊕mid ₀₄ ⊕mid ₀₆ ⊕mid ₀₇ ⊕k _(i12)  (17-3)

 mid ₁₃ =mid ₀₂ ⊕mid ₀₃ ⊕mid ₀₅ ⊕mid ₀₆ ⊕mid ₀₇ ⊕k _(i13)  (17-4)

mid ₁₄ =mid ₀₀ ⊕mid ₀₁ ⊕mid ₀₃ ⊕mid ₀₅ ⊕mid ₀₆ ⊕mid ₀₇ ⊕k _(i14)  (17-5)

mid ₁₅ =mid ₀₁ ⊕mid ₀₂ ⊕mid ₀₃ ⊕mid ₀₄ ⊕mid ₀₆ ⊕mid ₀₇ ⊕k _(i15)  (17-6)

mid ₁₆ =mid ₀₀ ⊕mid ₀₁ ⊕mid ₀₂ ⊕mid ₀₄ ⊕mid ₀₅ ⊕mid ₀₇ ⊕k _(i16)  (17-7)

mid ₁₇ =mid ₀₀ ⊕mid ₀₂ ⊕mid ₀₃ ⊕mid ₀₄ ⊕mid ₀₅ ⊕mid ₀₆ ⊕k _(i17)  (17-8)

As is evident from the operations in FIGS. 17 to 19, the secondkey-dependent linear transformation part 344 performs key-dependentlinear transformation which yields a total of eight pieces of outputdata mid₁₀, mid₁₁, mid₁₂, . . . , mid₁₇, that is, four pieces of outputdata derived from six pieces of data selected from the eight pieces ofinput data mid₀₀, mid₀₁, mid₀₂, . . . , mid₀₇ and four pieces of outputdata derived from five pieces of data selected from the eight pieces ofinput data. If this linear transformation is one that the eight piecesof input data mid₀₀, mid₀₁, mid₀₂, . . . , mid₀₇ each affect the outputdata of at least four or more other routes (for instance, in the FIG. 17example the input data mid₀₀ affects the six pieces of output datamid₁₁, mid₁₂, mid₁₃, mid₁₄, mid₁₅ and mid₁₇), the nonlinear functionpart 304 provides a differential/linear probability p⁵ as a whole asdescribed previously with reference to the FIG. 17.

The key data {fk, k₀₀, k₀₁, k₀₂, k₁₀, k₁₁, k₁₂, . . . , k_((N−1)0),k_((n−1)1), k_((N−1)2), ek} is data provided by inputting the master keyvia the key input part 320 to the expanded key generation part 321,transforming it to key data and storing it in the key storage part 322.

The expanded key generation part 321 may be made identical inconstruction with the expanded key generation part 21 for DES ciphershown in FIG. 1, or an expanded key generation part disclosed in U.S.Pat. No. 4,850,019.

Since the initial key-dependent transformation part 302, the finalkey-dependent transformation part 308 and the key-dependent lineartransformation parts 341, 344 and 347 are key-dependent lineartransformation means, the data transformation device is alsosufficiently secure against other cryptanalysis techniques thandifferential and linear cryptanalysis.

The fourth embodiment is not limited specifically to the aboveconstructions; if speedup is desired, any one of the initialkey-dependent transformation part 302, the final key-dependenttransformation part 308 and the key-dependent linear transformationparts 341, 344 and 347 may be omitted or modified to key-independenttransformation means. In this case, the encryption speed can beincreased without significantly diminishing the security againstdifferential cryptanalysis and linear cryptanalysis.

Fifth Embodiment

A description will be given of a modified form of the functionalconfiguration of the nonlinear function part 304 in the same datatransformation device as the fourth embodiment depicted in FIG. 13. Thebasic construction of this embodiment is the same as that of the fourthembodiment of FIG. 13 except that the nonlinear transformation parts 343₀ to 343 ₇ in the nonlinear function part 304 of FIG. 14 are modifiedlike the nonlinear transformation parts 343 ₀′, 343 ₁′, 343 ₂′ and 343₃′ in the second embodiment depicted in FIGS. 8A through 8D so that theyoutput expanded data. The second key-dependent linear transformationpart 344 is similar construction to that shown in FIG. 9.

As depicted in FIG. 13, the right block data R_(i) is input to thenonlinear function part 304 together with the key data k_(i0), k_(i1),k_(i2) stored in the key storage part 322. In the first key-dependentlinear transformation part 341 the data R_(i) is, for example, XORedwith the key data ko and hence is linearly transformed to dataR_(i)*=R_(i)⊕k_(i0) as in the case of FIG. 14. Then the data R_(i)* issplit into eight pieces of data in₀, in₁, in₂, . . . , in₇ in thesplitting part 342. The eight pieces of data in₀, in₁, in₂, . . . , in₇are nonlinearly transformed to data MID₀₀, MID₀₁, MID₀₂, . . . , MID₀₇in the nonlinear transformation parts 343 ₀′, 343 ₁′, 343 ₂′, . . . ,343 ₇′, respectively. The nonlinear transformation part 343 ₀′ is sodesigned as to transform the m-bit data in₀ to the following 8×m-bitdata.

MID ₀₀=[00 . . . 0₍₂₎ , mid ₀₀ , mid ₀₀ , mid ₀₀ , mid ₀₀ , mid ₀₀, 00 .. . 0₍₂₎ , mid ₀₀]  (18-1)

That is, the nonlinear transformation part 343 ₀′ has, for example, asshown in FIG. 20A, an S-box which outputs the data mid₀₀ in high-order mbits as does the nonlinear transformation part 343 ₀ in the fourthembodiment of FIG. 14 and outputs “00 . . . 0₍₂₎” as low-order m bits;furthermore, it branches the output data mid₀₀ in six routes and “00 . .. 0₍₂₎” in two other routes.

The nonlinear transformation part 343 ₁′ has, as depicted in FIG. 20B,an S-box 343 ₁ which outputs the data mid₀₁ in high-order m bits andoutputs “00 . . . 0₍₂₎” as low-order m bits; furthermore, it branchesthe output data mid₀₁ in six routes and m-bit data “00 . . . 0” in twoother routes. The other nonlinear transformation parts 343 ₂′ to 343 ₇′are also similarly constructed; in FIG. 20C there is depicted theconstruction of the nonlinear transformation part 343 ₇′ but nodescription will be repeated. These nonlinear transformation parts 343₁′ to 343 ₇′ transform data in₁ to in₇ to the following data MID₀₁ toMID₀₇, respectively.

MID ₀₁ =[mid ₀₁, 00 . . . 0₍₂₎ , mid ₀₁ , mid ₀₁ , mid ₀₁ , mid ₀₁ , mid₀₁, 00 . . . 0₍₂₎]  (18-2)

MID ₀₂ =[mid ₀₂ , mid ₀₂, 00 . . . 0₍₂₎ , mid ₀₂, 00 . . . 0₍₂₎ , mid ₀₂, mid ₀₂ , mid ₀₂]  (18-3)

MID ₀₃ =[mid ₀₃ , mid ₀₃ , mid ₀₃, 00 . . . 0₍₂₎ , mid ₀₃, 00 . . . 0₍₂₎, mid ₀₃ , mid ₀₃]  (18-4)

MID ₀₄ =[mid ₀₄, 00 . . . 0₍₂₎ , mid ₀₄ , mid ₀₄ , mid ₀₄, 00 . . .0₍₂₎, 00 . . . 0₍₂₎ , mid ₀₄]  (18-5)

MID ₀₅ =[mid ₀₅ , mid ₀₅, 00 . . . 0₍₂₎ , mid ₀₅ , mid ₀₅ , mid ₀₅, 00 .. . 0₍₂₎, 00 . . . 0₍₂₎]  (18-6)

MID ₀₆ =[mid ₀₆ , mid ₀₆ , mid ₀₆, 00 . . . 0₍₂₎, 00 . . . 0₍₂₎ , mid ₀₆, mid ₀₆, 00 . . . 0₍₂₎]  (18-7)

MID ₀₇=[00 . . . 0₍₂₎ , mid ₀₇ , mid ₀₇ , mid ₀₇, 00 . . . 0₍₂₎, 00 . .. 0₍₂₎ , mid ₀₇ , mid ₀₇]  (18-8)

These pieces of data MID₀₀ to MID₀₇ can be predetermined in the samemanner as described previously in connection with Equations (8-1) to(8-4) in the second embodiment. That is, the data MID₀₀ is a set of datawhich is obtained at the outputs of the eight routes of the lineartransformation part 344A in FIG. 17 when pieces of data mid₀₀ and mid₀₂to mid₀₇ except mid₀₁ are all set as “00 . . . 0₍₂₎.” The same goes forthe data MID₀₂ to MID₀₇. These nonlinear transformation parts 343 ₀′ to343 ₇′ may be formed by memory from which the pieces of data MID₀₀ toMID₀₇ are directly read out using the data in₀ to in₇ as addresses.

Then the pieces of data MID₀₀ to MID₀₇ are input to the secondkey-dependent linear transformation part 344 using the key data k_(i1)as shown in FIG. 21. The second key-dependent linear transformation part344 is made up of XOR circuits 41 ₁ to 41 ₄ each of which XORs twopieces of input data, XOR circuits 42 ₁ and 42 ₂ each of which XORs theoutputs from two of them, an XOR circuit 43 which XORs their outputs,and an XOR circuit 44 which XORs its output and the key data k_(i1).With this construction, the following operation is conducted.

MID ₁ =MID ₀₀ ⊕MID ₀₁ MID ₀₂ ⊕MID ₀₃ ⊕MID ₀₄ ⊕MID ₀₅ ⊕MID ₀₆ ⊕MID ₀₇ ⊕k_(i1)   (19)

This output MID₁ is split into eight blocks, which are output as datamid₁₀, mid₁₁, mid₁₂, . . . , mid₁₇. Eventually, the lineartransformation by the second key-dependent linear transformation part344, expressed in units of m-bit subblocks, becomes as follows:

mid ₁₀ =mid ₀₁ ⊕mid ₀₂ ⊕mid ₀₃ ⊕mid ₀₄ ⊕mid ₀₅ ⊕mid ₀₆ ⊕k _(i10)  (20-1)

mid ₁₁ =mid ₀₀ ⊕mid ₀₂ ⊕mid ₀₃ ⊕mid ₀₅ ⊕mid ₀₆ ⊕mid ₀₇ ⊕k _(i11)  (20-2)

mid ₁₂ =mid ₀₀ ⊕mid ₀₁ ⊕mid ₀₃ ⊕mid ₀₄ ⊕mid ₀₆ ⊕mid ₀₇ ⊕k _(i12)  (20-3)

mid ₁₃ =mid ₀₀ ⊕mid ₀₁ ⊕mid ₀₂ ⊕mid ₀₄ ⊕mid ₀₅ ⊕mid ₀₇ ⊕k _(i13)  (20-4)

mid ₁₄ =mid ₀₀ ⊕mid ₀₁ ⊕mid ₀₃ ⊕mid ₀₄ ⊕mid ₀₅ ⊕k _(i14)  (20-5)

mid ₁₅ =mid ₀₀ ⊕mid ₀₁ ⊕mid ₀₂ ⊕mid ₀₅ ⊕mid ₀₆ ⊕k _(i15)  (20-6)

mid ₁₆ =mid ₀₁ ⊕mid ₀₂ ⊕mid ₀₃ ⊕mid ₀₆ ⊕mid ₀₇ ⊕k _(i16)  (20-7)

mid ₁₇ =mid ₀₀ ⊕mid ₀₂ ⊕mid ₀₃ ⊕mid ₀₄ ⊕mid ₀₇ ⊕k _(i17)  (20-8)

The above equations express a linear transformation equivalent to thatby Equations (15-1) to (15-8) described previously with reference toFIG. 17. As a result, the same pieces of data mid₁₀, mid₁₁, mid₁₂, . . ., mid₁₇ are generated. Incidentally, the subkey data k_(i1), is composedof eight pieces of data k_(i10), k_(i11), k_(i12), . . . , k_(i17).

Next, the eight pieces of data mid₁₀, mid₁₁, mid₁₂, . . . , mid₁₇ arenonlinearly transformed to eight pieces of data out₀, out₁, out₂, . . ., out₇ in the nonlinear transformation parts 345 ₀, 345 ₁, 345 ₂, . . ., 345 ₇ in FIG. 14, and the eight pieces of data out₀, out₁, out₂, . . ., out₇ are combined into a single piece of data Y_(i)* in the combiningpart 346. Finally, the data Y_(i)* is linearly transformed to data Y_(i)by, for example, a k_(i2)-bit left rotation in the third key-dependentlinear transformation part 347 using the key data k_(i2).

As depicted in FIG. 21, the second key-dependent linear transformationpart 344 uses eight XOR circuits but implements the lineartransformation equivalent to that in FIG. 17 (which uses 24 XORcircuits), and hence it permits faster transformation than the fourthembodiment.

Furthermore, as is the case with the fourth embodiment, the eightnonlinear transformation parts 343 ₀ to 343 ₃ and 345 ₀ to 345 ₃ arearranged in parallel and their nonlinear transformation processes arenot associated with one another, and hence they can be executed inparallel. Besides, letting p represent the differential/linerprobability of the nonlinear transformation parts 343 ₀′ to 343 ₇′, thedifferential/linear probability of the nonlinear function 304 becomes p⁵as a whole.

In the above, the second (key-dependent) linear transformation part 344may perform the transformation by XORing of the input subdata withoutdepending on the key k_(i1). That is, the XOR circuits 63 ₀ to 63 ₇ inFIG. 17 and the circuits corresponding thereto in FIGS. 18, 19 and 21may be omitted.

Moreover, in the above, the first key-dependent linear transformationpart 341, the second key-dependent transformation part 344 and the thirdkey-dependent transformation part 347 need not always be key-dependent,that is, the linear transformation may be performed in subdata withoutinputting the key data to them.

The data transformation processing in the fourth and fifth embodimentsdescribed above may also be implemented by executing a program of itsprocedure by a computer. The procedure is the same as shown in FIGS. 11and 12; hence, no description will be repeated.

FIG. 22 illustrates an example of the system configuration wherein theprogram for the data transformation processing described in connectionwith the first to fifth embodiment is prerecorded on a recording mediumand is read out therefrom to perform the data transformation accordingto the present invention. A central processing unit (CPU) 110, aread-only memory (ROM) 120, a random access memory (RAM) 130, a storagedevice (a hard disk HD, for instance) 140, an I/O interface 150 and abus interconnecting them constitute an ordinary computer 100. Theprogram for implementing the data transformation process according tothe present invention is prestored on the recording medium such as thehard disk HD. In the ROM 120 there are stored respective S-boxes intabular form. In the execution of the data transformation the program isread into the RAM 130 from the hard disk HD 140, and upon input of theplaintext M via the interface 150, then the program is executed underthe control of the CPU 110, and the resulting output data C is outputvia the interface 150.

The program for the data transformation process may be one that isprestored in an arbitrary external storage device 180. In such aninstance, the program can be used after once transferred via a driver170 from the external storage device 180 to the hard disk 140 or the RAM130.

Though not shown, when the output data C is sent over a communicationline or the Internet, only a person who has a common secret key isqualified to decrypt the output data C. Since the data C transformedaccording to the present invention is highly resistant to differentialcryptanalysis and linear cryptanalysis, it is possible to achievetransmission of information with increased security.

Incidentally, when in each embodiment the key scheduling part 20 has thesame construction as depicted in FIG. 3, the subkeys used as k_(i) andk_(i+1) in the data diffusion part 10 become the outputs Q_(2j) andQ_(2j+1) (where i=2j) from the key processing part 21 in the keyscheduling part 20. On the other hand, since it is the subkeys k_(N) andk_(N−1) that are very likely to be analyzed by differentialcryptanalysis or linear cryptanalysis, a combination of data diffusionparts with these pieces of information allows ease in finding othersubkeys.

The embodiment described below is intended to solve this problem byusing a more complex key scheduling algorithm in the key scheduling part20 for generating subkeys in the data transformation device of FIG. 4that is typical of the embodiments described above. With a view topreventing that success in analyzing the subkeys k_(N) and k_(N−1) leadsto the leakage of much information about the outputs from other datadiffusion parts, the following embodiment employs a G-function partwhich performs the same function as that of the key diffusion part 22depicted in FIG. 3 (the function fk in FIG. 3); furthermore, there isprovided an H-function part which possesses a data extracting functionby which information necessary for generating subkeys is extracted froma required number of L components as uniformly as possible which wereselected from L components once stored in a storage part after beingoutput from the G-function part according to a first aspect of keygeneration. According to a second aspect, partial information that isused as subkeys is extracted in the H-function part from theL-components output from the G-function part and is stored in a storagepart, and necessary information is extracted from a required number ofL-components to thereby generate the subkeys.

In the case of DES, since the subkeys are generated by only swapping bitpositions of the master key, the key scheduling process is fast.However, there is a problem that if the some subkeys is known, thecorresponding master key can be obtained immediately.

To provide increased complexity in the relationship between the masterkey and the subkeys without involving a substantial increase in thecomputational complexity for key scheduling and without increasing thesize program of the key scheduling part, the G-function is constructedas the data diffusion fumction through the use of the F-function to beused in the data diffusion part or a subroutine forming the F-function(which functions will hereinafter be denoted by f), and a plurality ofintermediate values L are generated by repeatedly using the G-function.

The G-function is adapted to operate on two input components (Y, v) andgenerate three output components (L, Y, v). The bits of the component Yis equal to or larger than the bits of the master key K.

To supply subkeys to the data diffusion part, the G-function is called arequired number (M) of times to generate M components L (where 0≦j≦M−1).Letting the output from the G-function called a j-th time be representedby (L_(j), Y_(j), v_(j)), part of this value is used as the input(Y_(j+1)=Y_(j), v_(J+1)=v_(j)) to the G-function called a (j+1)-th time.Assume here that Y₀ is a value containing K and that v₀ is apredetermined value (0, for instance).

For the given master key K, the subkey k_(i) (where i=0, 1, 2, . . . ,N−1) is determined as follows:

(L _(i), (Y ₁ , v ₁))=G(Y ₀ , v ₀)  (21)

(L _(j+1), (Y _(j+1) , v _(j+1)))=G(Y _(j) , v _(j)) (j=1, 2, . . . ,M−1)  (22)

k _(i) =H(i, L ₁ , L ₂ , . . . , L _(M)) (i=0, 1, 2, . . . , N−1)  (23)

where the H-function is means to extract from each component L_(i)information about the bit position determined by the suffix i asrequired according to the suffix i of the subkey and the M components Loutput from the G-function.

Sixth Embodiment

In FIG. 23A there is depicted the basic construction of the keyscheduling part of this embodiment for application to the key schedulingpart 20 shown in FIG. 4A. The master key K is input to an intermediatekey generation part 220; the intermediate key generation part 220 has aplurality (M rounds) of G-function parts which operate in cascade, andgenerates intermediate keys L₁ to L_(M), which are stored in a storagepart 230. The intermediate keys L₁ to L_(M) stored in the storage part230 are provided to a subkey generation part 240, wherein subkeys k_(i)are generated based on an H-function part. The structure and operationof each part will be concretely described below.

This example is intended to increase the security of the key schedulingpart shown in FIG. 3 using a data randomization part disclosed in theaforementioned U.S. patent issued to Miyaguchi et al. This embodimentwill be described as being applied to the key scheduling part (FIG. 3)in the U.S. patent of Miyagushi et al. when N=16.

In FIG. 3 16 Q components are obtained by an 8 (=N/2) rounds of datadiffision parts. Here, let Q_(j) represent the respective Q component.Each Q_(j) component is 16-bit. The subkey generation part 240constructs the subkey k₀ from the value of a first bit of the respectiveQ_(j) component, the subkey k₁ from the value of a second bit of therespective Q_(j) component, and in general, the subkey k_(i−1) from thevalue of an i-th bit of the Q_(j) component. That is, letting Q_(j)[i]represent the i-th bit of the Q_(j) component, the subkey k_(i) isexpressed by the following equation.

K _(i−1)=(Q ₁ [i], Q ₂ [i], . . . , Q _(j) [i], . . . , Q ₁₆ [i])  (24)

where 1≦i,j≦16.

This processing method will be reviewed below in the framework of the G-and the H-function mentioned above. Here, Y_(j) represents the value of64 bits, Y_(j) ^(L) the value of high-order 32bits of Y_(j) and Y_(j)^(R) the value of low-order 32 bits of Y_(j).

Letting the output from the G-function for the input (Y_(j), v_(j)) berepresented by

 (L _(j+1), (Y _(j+1) , v _(j+1)))=G(Y _(j) , v _(j)) (0≦j≦7),  (25)

the output (L_(j+1), (Y_(j+1), v_(j+1))) is given by the followingequations.

Y _(j+1) ^(L) =Y _(j) ^(R)  (26)

Y _(j+1) ^(R) =L _(j+1) =f _(k)(Y _(j) ^(L) , Y _(j) ^(R) ⊕v _(j))  (27)

v _(j+1) =Y _(j) ^(L)  (28)

The subkey k_(i) is given as a function of i and L₁ to L₈ by thefollowing equation.

K_(i−1) =H(i, L ₁ , L ₂ , . . . , L ₈)  (29)

Letting each L_(i) be represented by (t_(j) ⁽¹⁾, t_(j) ⁽²⁾, . . . ,t_(j)⁽³²⁾) the H-function constructed the subkey k_(i) as follows:

K _(i)=(t ₁ ^((i)) , t ₁ ^((16+i)) , t ₂ ^((16+i)) , . . . , t ₈ ^((i)), t ₈ ^((16+i))) (1≦i≦16)  (30)

Since this method provides 16 subkeys at the maximum, the encryptionalgorithm described in the U.S. patent by Miyaguchi et al. can be usedfor the structure with a maximum of eight rounds of F-functions.

The construction of the intermediate key generation part 220 shown inFIG. 23A will be described below with reference to FIG. 24. G-functionparts 22-1 to 22-8 are provided in cascade. The master key K is input asY₀ to the first-round G-function part 22-1 together with a constant v₀,and Y_(j−1) and v_(j−1) are input to the G-function part 22-j of eachj-th round; each G-function part randomizes Y_(j−1) and outputs L_(j),Y_(j) and v_(j). L_(j) is an intermediate key and Y_(j) and v_(j) arefed to the next G-function part 22-(j+1). That is, after setting Y₀=Kand v₀=0, the G-function part 22 is called eight times. The constructionof the G-function part is depicted in FIG. 25, for which the followingprocess is repeated from j=0 to j=7.

Step 1: Upon input Y_(j) and v_(j) to the G-function part 22-(j+1),split Y_(j) into two blocks (Y_(j) ^(L), Y_(j) ^(R)) by a splitting part221 in FIG. 25.

Step 2: Output Y_(j) ^(L) as v_(j+1). Input Y_(j) ^(L) to a datadiffusion part (f_(k)) 222.

Step 3: Input Y_(j) ^(R) to a data swapping part 224. Input Y_(j) ^(R)and v_(j) to an XOR circuit 223 to compute Y_(j) ^(R)⊕v_(j) and inputthe result of computation to the data diffusion part (f_(k)) 222.

Step 4: Upon receiving Y_(j) ^(L) and Y_(j) ^(R)⊕v_(j) as inputsthereto, the data diffuision part (f_(k)) 222 outputs the result ofcomputation as L_(j+1) and, at the same time, input it to the swappingpart 224.

Step 5: Upon receiving Y_(j) ^(R) and the result of computation L_(j+1)by the data diffusion part (f_(k)) 222, the swapping part 224 rendersY_(j) ^(R) to Y_(j+1) ^(L) and L_(j+1) to Y_(j+1) ^(R), thenconcatenates them to Y_(j+1)=(Y_(j+1) ^(L), Y_(j+1) ^(R)), and outputsit.

The eight L_(i) components output from the G-function part 22-1 to 22-8are once stored in the storage part 230 (FIG. 23A).

Next, a description will be given, with reference to FIG. 26, of theconstruction of the H-function part serving as the subkey generationpart 240. The H-function part 240 performs the following steps afterreading out the eight L components L₁ to L₈ from the storage part 230.

Step 1: Read out each component L_(i) from the storage part 230 andinput it to a bit splitter 241 to split it bitwise as follows:

(t _(j) ⁽¹⁾ , t _(j) ⁽²⁾ , . . . , t _(j) ⁽³²⁾)=L_(j)(j=1, 2, . . . ,8)  (31)

Step 2: Input (t₁ ^((i)), t₁ ^((16+i)), t₂ ^((i)), t₂ ^((16+i)), . . . ,t₈ ^((i)), t₈ ^((16+i))) to a bit combiner 242 to obtain the subkey asfollows:

k _(i)=(t ₁ ^((i)) , t ₁ ^((16+i)) , t ₂ ^((i)) , t ₂ ^((16+i)) , . . ., t ₈ ^((i)) , t ₈ ^((16+i)))(i=1, 2, . . . , 16)   (32)

Seventh Embodiment

A description will be given, with reference to FIGS. 23B, 24, 25 and 27,of another embodiment which outputs the same subkey as does the sixembodiment.

As shown in FIG. 23B, a plurality of intermediate keys L_(j) aregenerated in the intermediate key generation part 220. The intermediatekey generation part 220 is identical in construction with that depictedin FIG. 23A; that is, it comprises the plurality of G-function parts 22as shown in FIG. 24. Upon each generation of the intermediate key L_(j)in the G-function part 22, the intermediate key L_(j) is fed to thesubkey generation part 250, from which bit position information, whichis determined by the suffix i of the subkey k_(i) and its bit positionq, is output as information k_(iq) and is stored in the storage part260.

That is, the intermediate key generation part 220 and the subkeygeneration part 250 repeat the following steps 1 through 7 for eachvalue from j=0 to j=7.

Step 1: Upon input of Y_(j) and v_(j) to the G-function part 22-(j+1),split Y_(j) into two blocks (Y_(j) ^(L), Y_(j) ^(R)) by the splittingpart 221.

Step 2: Output Y_(j) ^(L) as v_(j+1). And input Y_(j) ^(L) to the datadiffusion part (f_(k)) 222.

Step 3: Input Y_(j) ^(R) to the swapping part 224. And input Y_(j) ^(R)and v_(j) to the XOR circuit 223 to calculate Y_(j) ^(R)⊕v_(j) and inputit to the data diffusion part (f_(k)) 222.

Step 4: Upon receiving Y_(j) ^(L) and Y_(j) ^(R)⊕v_(j), the datadiffusion part (f_(k)) 222 inputs the result of its computation asL_(j+1) to the subkey generation part 250 (FIG. 23B) and, at the sametime, input it to the swapping part 224.

Step 5: Upon receiving Y_(j) ^(R) and the result of calculation L_(j+1)from the data diffulsion part (f_(k)) 222, the swapping part 224 rendersY_(j) ^(R) to Y_(j+1) ^(L) and L_(j+1) to Y_(j+1) ^(R), thenconcatenates them to Y_(j+1)=(Y_(j+1) ^(L), Y_(j+1) ^(R)) and outputsit.

Step 6: As depicted in FIG. 27, the subkey generation part 250 inputL_(j) to a bit splitter 251 to split it bitwise as follows:

 (t _(j) ⁽¹⁾ , t _(j) ⁽²⁾ , . . . , t _(j) ⁽³²⁾)=L_(j)(j=1, 2, . . . ,8)  (33)

and then input them to an information distributor 252.

Step 7: The bit string (t_(j) ⁽¹⁾, t_(j) ⁽²⁾, . . . , t_(j) ⁽³²⁾) inputto the information distributor 252 is information on the bit position ofL_(j) determined by the bit position q of the subkey k_(i) for a suffixi being used as information on the bit position q of the subkey k_(i),and is stored for each L_(j) in one of 16 storage areas of the storagepart 260 divided for each subkey

k _(i)=(t ₁ ^((i)) , t ₁ ^((16+i)) , t ₂ ^((i)) , t ₂ ^((16+i)) , . . ., t ₈ ^((i)) , t ₈ ^((16+i)))  (34)

Step 8: When 16-bit information is set for each k_(i), that is, when thesubkey k_(i) generated, output its value (i=1, 2, . . . , 16).

Eighth Embodiment

With a view to reducing the device size or the number of program steps,this embodiment uses in key scheduling an f-function used forencryption.

This embodiment will also be described in the framework of the G- andH-function.

Let the output from the G-function for the input (Y_(j), v_(j)) berepresented by

(L _(j+1), (Y _(j+1) , v _(j+1)))=G(Y _(j) , v _(j)) (0≦j≦7)

and let the output be set as follows: $\begin{matrix}\left. \left( {\left( {Y_{j}^{(1)},Y_{j}^{(2)},Y_{j}^{(3)},Y_{j}^{(4)}} \right),v_{j}} \right)\rightarrow\left( {\left( {L_{j + 1}^{(1)},L_{j + 1}^{(2)},L_{j + 1}^{(3)},L_{j + 1}^{(4)}} \right),\left\lbrack {\left( {Y_{j + 1}^{(1)},Y_{j + 1}^{(2)},Y_{j + 1}^{(3)},Y_{j + 1}^{(4)}} \right),v_{j + 1}} \right\rbrack} \right) \right. & (35)\end{matrix}$

Here, the following definitions are given. $\begin{matrix}{Y_{j + 1}^{(i)} = {f\quad \left( Y_{j}^{(i)} \right)\quad \left( {{i = 1},2,3,4} \right)}} & (36) \\{L_{j + 1}^{(0)} = v_{j}} & (37) \\{L_{j + 1}^{(i)} = {{f\quad \left( L_{j + 1}^{({i - 1})} \right)} \oplus {Y_{j + 1}^{(i)}\quad \left( {{i = 1},2,3,4} \right)}}} & (38) \\{v_{j + 1} = L_{j + 1}^{(4)}} & (39)\end{matrix}$

Further, in

k _(i) =H(i, L ₁ , L ₂ , . . . L ₈)  (40)

the following definitions are given. $\begin{matrix}{q_{i + {4j}} = {L_{j + 1}^{({i + 1})}\quad \left( {{i = 0},1,2,3} \right)}} & (41) \\{\left( {t_{i}^{(0)},t_{i}^{(1)},\ldots \quad,t_{i}^{(7)}} \right) = {q_{i}\quad \left( {{i = 0},1,\ldots \quad,31} \right)}} & (42) \\{k_{({i + 1})} = {\left( {t_{0 + {({i\quad {mod}\quad 2})}}^{({\lbrack{i/2}\rbrack})},t_{2 + {({i\quad {mod}\quad 2})}}^{({\lbrack{i/2}\rbrack})},\ldots \quad,t_{30 + {({i\quad {mod}\quad 2})}}^{({\lbrack{i/2}\rbrack})}} \right)\quad \left( {{i = 0},1,\ldots \quad,15} \right)}} & (43)\end{matrix}$

Suppose that [i/2] in Equation (43) represents └i/2┘.

This procedure will be described below with reference to FIGS. 28 and26.

Preparation

Step 1: Set as v₀ a value extracted from 0123456789abcdef101112. . .(hex) by the same number of bits as the bit length of the function f.

Step 2: Set the master key K at Y₀.

Generation of Intermediate Key: The following procedure is repeated forj=0,1, 2, . . . , 7.

Step 1: Divide equally the input Y_(j) into four (Y_(j) ⁽¹⁾, Y_(j) ⁽²⁾,Y_(j) ⁽³⁾, Y_(j) ⁽⁴⁾).

Step 2: For i=1, 2, 3, 4, compute Y_(j+1) ^((i))=f(Y_(j) ^((i))) by datadiffusion part 611 to 614.

Step 3: set L_(j+1)=v_(j).

Step 4: For I=1, 2, 3, 4, compute f(L_(j+1) ^((i−1))) by data diffusionpart 621 to 624, and input the result of computation to an XOR circuit63 i to XOR it with Y_(j+1) ^((i)) to obtain L_(j+1) ^((i))=f(L_(j+1)^((i−1)))⊕Y_(j+1) ^((i)).

Step 5: set Y_(j+1)=(Y_(j+1) ⁽¹⁾, Y_(j+1) ⁽²⁾, Y_(j+1) ⁽³⁾, Y_(j+1)⁽⁴⁾).

Step 6: set L_(j+1)=L_(j+1) ⁽¹⁾, L_(j+1) ⁽²⁾, L_(j+1) ⁽³⁾, L_(j+1) ⁽⁴⁾).

Step 7: Set v_(j+1)=L_(j+1) ⁽⁴⁾.

Generation of Subkey: As is the case with the sixth embodiment, Equation(43) is implemented to obtain k₁, k₂, . . . , k_(N) (where N≦16).

This embodiment is not limited specifically to the above but can also becarried out in the following manner:

(1) When the size of Y₀ is larger than K, K is used as part of Y₀ andthe remaining part is filled with a constant.

(2) An arbitrary constant is used as v₀.

(3) The bit length of respective characters are arbitrarily set in theranges in which they are harmonized with one another.

(4) Functions other than that for encryption are used as f.

(5) Part of L_(i) is not used to compute H, that is, this occurs whenthe number of subkeys k_(i) is small and the bits of L_(j) is large.

(6) H is computed in the same manner as in the sixth embodiment.

(7) G is computed in the same manner as in the sixth embodiment.

(8) As is the case with the seventh embodiment, upon each generation ofone intermediate key, not on the generation of all the intermediatekeys, the result of computation is stored in the storage part 260 in thecorresponding bit position of k_(i).

The intermediate key generation part 220, the subkey generation parts240 and 250 may be adapted to be operated under program control by thecomputer depicted in FIG. 22.

EFFECT OF THE INVENTION

As described above in detail, according to the present invention, thedata transformation device for use in an encryption device to concealdata is designed to simultaneously meet the requirements of security andspeedup, thereby ensuring security and permitting fast encryptionprocedure without causing a significant increase in the number ofrounds. Hence, the device of the present invention suitable for use inan encryption device of the common-key cryptosystem which encrypts ordecrypts data in blocks using a secret key.

Furthermore, according to the key scheduling of the present invention,even if k₆, k₇, k₈, k₉, k₁₀ and k₁₁ are known in the sixth and seventhembodiment, only 12bits (for example, 6th, 7th, 8th, 9th, 10th, 11th,22nd, 23rd, 24th 25th, 26th and 27th bits) of the respective L_(i)components are known. Thus, the problems concerning the security of thekey scheduling part raised in DES and the U.S. patent issued toMiyaguchi et al. have been solved.

What is claimed:
 1. A data transformation device which has key storage means for storing plural pieces of key data and a plurality of cascade-connected round processing parts each composed of a nonlinear function part supplied with said plural pieces of key data to perform key-dependent nonlinear transformation, whereby input data is transformed to different data in dependence on key data, said nonlinear function part of each of said round processing parts comprising: first key-dependent linear transformation means for linearly transforming input data to said round processing part based on first key data stored in said key storage means; splitting means for splitting the output data from said first key-dependent linear transformation means to n pieces of subdata, said n being an integer equal to or larger than 4; first nonlinear transformation means for nonlinearly transforming each of said n pieces of subdata; second key-dependent linear transformation means for linearly transforming the output subdata from each of said first nonlinear transformation means based on second key data stored in said key storage means; second nonlinear transformation means for nonlinearly transforming n pieces of output subdata from said second key-dependent linear transformation means; and combining means for combining n pieces of output subdata from said second nonlinear transformation means to provide the output from said nonlinear function means; wherein said second key-dependent linear transformation means contains a linear transformation layer wherein the input thereto is transformed linearly using XORs defined by an n×n matrix.
 2. The data transformation device as claimed in claim 1, which further comprises: initial splitting means for splitting said input data into two pieces of data; nonlinear function means supplied with one of said two pieces of data; linear operation means for causing the output data from said nonlinear function means to act on the other piece of data; and final combining means for combining two pieces of data into a single piece of output data.
 3. The data transformation device as claimed in claim 2, which further comprises initial transformation means for transforming said input data and for supplying said transformed input data to said initial splitting means.
 4. The data transformation device as claimed in claim 2 or 3, which further comprises final transformation means for transforming the output data from said final combining means to provide output data from said data transformation device.
 5. The data transformation device as claimed in claim 3, wherein at least one of said initial transformation means and said final transformation means is key-dependent transformation means which performs transformation based on key data stored in said key storage means.
 6. The data transformation device as claimed in any one of claims 1, 2 or 3, wherein said nonlinear function part is provided with third key-dependent linear transformation means for linearly transforming the output data from said combining means based on third key data stored in said key storage means to provide the output from said nonlinear function part.
 7. The data transformation device as claimed in any one of claims 1, 2 or 3, wherein said first key-dependent linear transformation means, said second key-dependent linear transformation means and/or said third key-dependent linear transformation means is linear transformation means which performs fixed linear transformation.
 8. The data transformation device as claimed in any one of claims 1, 2 or 3, wherein said first nonlinear transformation means and said second nonlinear transformation means are each provided with: means for splitting the input subdata thereto into two subblocks; means for performing linear transformation and nonlinear transformation of each of said two split subblocks in cascade; and means for combining the transformed subblocks from said cascade transformation means to provide transformed output subdata corresponding to said input subdata.
 9. The data transformation device as claimed in any one of claims 1, 2 or 3, wherein said n×n matrix is formed by n column vectors whose Hamming weights are equal to or larger than T−1 for a predetermined security threshold T.
 10. The data transformation device as claimed in claim 9, wherein said matrix is selected from a plurality of matrix candidates which provides a maximum value of n_(d), said n_(d) being the minimum number of active s-boxes.
 11. The data transformation device as claimed in any one of claims 1, 2 or 3, wherein said n×n matrix is a 4×4 matrix.
 12. The data transformation device as claimed in claim 11, wherein said second linear transformation means is means which inputs thereto four data A1, A2, A3 and A4 from said first nonlinear transformation means, computes  B 1=A 1 ⊕A 3 ⊕A 4 B 2=A 2 ⊕A 3 ⊕A 4 B 3=A 1 ⊕A 2 ⊕A 3 B 4=A 1 ⊕A 2 ⊕A 4 and outputs data B1, B2, B3 and B4.
 13. The data transformation device as claimed in claim 12, wherein said second linear transformation means is key-dependent linear transformation means, which is also supplied with key data k2=[k21, k22, k23, k24] from said key storage means and performs XOR operations by said key data k21, k22, k23 and k24 in the computations for said output data B1, B2, B3 and B4, respectively.
 14. The data transformation device as claimed in claim 11, wherein: said first nonlinear transformation means comprises: for four pieces of m-bit subdata in1, in2, in3 and in4 from said splitting means, for transforming said in1 to 4m-bit data MI1=[A1, 00 . . . 0₍₂₎, A1, A1]; means for transforming said in2 to 4m-bit data MI2=[00 . . . 0₍₂₎, A2, A2, A2]; means for transforming said in3 to 4m-bit data MI3=[A3, A3, A3, 00 . . . 0₍₂₎]; and means for transforming said in4 to 4m-bit data MI4=[A4, A4, 00 . . . 0₍₂₎, A4]; and said second linear transformation means is means supplied with said data MI1, MI2, MI3 and MI4 from said first nonlinear transformation means, for computing B=MI1⊕MI2⊕MI3⊕MI4 and for outputting B=[B1, B2, B3, B4].
 15. The data transformation device as claimed in claim 14, wherein said second linear transformation means is a key-dependent linear transformation means, which is also supplied with 4m-bit key data k2 from said key storage means and performs an XOR operation by said key data k2 in the computation of said B.
 16. The data transformation device as claimed in any one of claims 1, 2 or 3, wherein said n×n matrix is an 8×8 matrix.
 17. The data transformation device as claimed in claim 16, wherein said second linear transformation means is means which provides its eight pieces of output data B1 to B8 by obtaining four pieces of said output subdata B1, B2, B3 and B4 through XOR operations using six of eight pieces of subdata A1, A2, . . . , A8 from said first nonlinear transformation means and by obtaining four pieces of said output subdata B5, B6, B7 and B8 through XORing using five of said eight pieces of subdata from said first nonlinear transformation means.
 18. The data transformation device as claimed in claim 17, wherein said second linear transformation means is key-dependent linear transformation means, which is supplied with key data k2=[k21, k22, k23, k24, k25, k26, k27, k28] stored in said key storage means and performs XOR operations by said key data k21, k22, k23, k24, k25, k26, k27 and k28 for obtaining said output subdata [B1, B2, B3, B4, B5, B6, B7, B8].
 19. The data transformation device as claimed in claim 16, wherein: said first nonlinear means is means for transforming eight pieces of m-bit subdata in1 to in8 from said splitting means to eight pieces of 8 m-bit data MI1=[00 . . . 0₍₂₎, A1, A1, A1, A1, A1, 00 . . . 0₍₂₎, A1], MI2=[A2, 00 . . . 0₍₂₎, A2, A2, A2, A2, A2, 00 . . . 0₍₂₎,] MI3=[A3, A3, 00 . . . 0₍₂₎, A3, 00 . . . 0₍₂₎, A3, A3, A3], MI4=[A4, A4, A4, 00 . . . 0₍₂₎, A4, 00 . . . 0₍₂₎, A4, A4], MI5=[A5, 00 . . . 0₍₂₎, A5, A5, A5, 00 . . . 0₍₂₎, 00 . . . 0₍₂₎, A5], MI6=[A6, A6, 00 . . . 0₍₂₎, A6, A6, A6, 00 . . . 0₍₂₎, 00 . . . 0₍₂₎,] MI7=[A7, A7, A7, 00 . . . 0₍₂₎, 00 . . . 0₍₂₎, A7, A7, 00 . . . 0₍₂₎,], and MI8=[00 . . . 0₍₂₎, A8, A8, A8, 00 . . . 0₍₂₎, 00 . . . 0₍₂₎, A8, A8]; and said second linear transformation means is means supplied with said data MI1 to MI8 from said first nonlinear transformation means, for computing B=MI1⊕MI2⊕MI3⊕MI4⊕MI5⊕MI6⊕MI7⊕MI8 and for outputting B=[B1, B2, B3, B4, B5, B6, B7, B8].
 20. The data transformation device as claimed in claim 19, wherein said second linear transformation means is key-dependent linear transformation means, which is also supplied with 8 m-bit key data k2 stored in said key storage means and performs an XOR operation by said key data k2 for obtaining said B.
 21. A recording medium on which there is recorded a data transformation program by which round processing containing nonlinear function process of performing key-dependent nonlinear transformations based on plural pieces of key data stored in key storage means is executed a plurality of times in cascade to thereby transform input data to different data in dependent on key data, said nonlinear function process of said round processing comprises: a first key-dependent linear transformation step of linearly transforming input data to a round processing part based on first key data stored in said key storage means; a splitting step of splitting output data by said first key-dependent linear transformation step into n pieces of subdata, said n being an integer equal to or larger than 4; a first nonlinear transformation step of nonlinearly transforming each of said n pieces of subdata; a second key-dependent linear transformation step of performing a linear transformation using second key data and output subdata by said nonlinear transformation step; a second nonlinear transformation step of performing a second nonlinear transformation of each of said n pieces of output subdata by said second key-dependent linear transformation step; and combining step of combining n pieces of output subdata by said second nonlinear transformation means into a single data for outputting as the result of said nonlinear function process; wherein said second key-dependent linear transformation step includes an XOR linear transformation step of performing, for the input thereto, XORing defined by an n×n matrix.
 22. The recording medium as claimed in claim 21, wherein said data transformation program comprises: an initial splitting step of splitting said input data into two pieces of data; a step of performing said nonlinear function process using one of said two pieces of data as the input thereto; a linear operation step of causing the output data by said nonlinear function processing step to act on the other piece of said data; and a final combining step of combining two pieces of data into a single piece of output data.
 23. The recording medium as claimed in claim 22, wherein said data transformation program includes an initial transformation step of transforming said input data and supplying said transformed input data to said initial splitting step.
 24. The recording medium as claimed in claim 22 or 23, wherein said data transformation program includes a final transformation step of transforming the output data by said final combining step to provide output data.
 25. The recording medium as claimed in claim 23, wherein at least one of said initial transformation step and said final transformation step of said data transformation program is a key-dependent transformation step of performing transformation based on key data.
 26. The recording medium as claimed in any one of claims 21, 22 or 23, wherein said nonlinear function processing step includes a third key-dependent linear transformation step of linearly transforming the output data by said combining step based on third key data stored in said key storage means to provide the output of said nonlinear function processing step.
 27. The recording medium as claimed in any one of claims 21, 22 or 23, wherein said first key-dependent linear transformation step, said second key-dependent linear transformation step and/or said third key-dependent linear transformation step is a linear transformation step of performing fixed linear transformation.
 28. The recording medium as claimed in any one of claims 21, 22 or 23, wherein said first nonlinear transformation step and said second nonlinear transformation step are each include: a step of splitting the input data thereto into two subblocks; a step of performing linear transformation of each of said two split subblocks; a step of performing linear transformation and nonlinear transformation of each of said two split subblocks in cascade; and a step of combining the transformed subblocks by said cascade transformation step into nonlinearly transformed output data corresponding to said input data.
 29. The recording medium as claimed in any one of claims 21, 22 or 23, wherein said n×n matrix is formed by n column vectors whose Hamming weights are equal to or larger than T−1 for a predetermined security threshold T.
 30. The recording medium as claimed in claim 29, wherein said matrix is selected from a plurality of matrix candidates which provides a maximum value of n_(d), said n_(d) being the minimum number of active s-boxes.
 31. The recording medium as claimed in any one of claims 21, 22 or 23, wherein said n×n matrix is a 4×4 matrix.
 32. The recording medium as claimed in claim 31, wherein said second linear transformation step is a step of inputting thereto four data A1, A2, A3 and A4 by said first nonlinear transformation step, computing B 1=A 1⊕A 3⊕A 4 B 2=A 2⊕A 3⊕A 4 B 3=A 1⊕A 2⊕A 3 B 4=A 1⊕A 2⊕A 4 and outputting data B1, B2, B3 and B4.
 33. The recording medium as claimed in claim 32, wherein said second linear transformation step is a key-dependent linear transformation step of inputting key data k2=[k21, k22, k23, k24] in said key storage means and performing XOR operations by said key data k21, k22, k23 and k24 in the computations for said output data B1, B2, B3 and B4, respectively.
 34. The recording medium as claimed in claim 32, wherein: said first nonlinear transformation step comprises: for four pieces of m-bit subdata in1, in2, in3 and in4 from said splitting means a step of transforming said in1 to 4 m-bit data MI1=[A1, 00 . . . 0₍₂₎, A1, A1]; a step of transforming said in2 to 4 m-bit data MI2=[00 . . . 0₍₂₎, A2, A2, A2]; a step of transforming said in3 to 4 m-bit data MI3=[A3, A3, A3, 00 . . . 0₍₂₎]; and a step of transforming said in4 to 4 m-bit data MI4=[A4, A4, 00 . . . 0₍₂₎, A4]; and said second linear transformation step is a step of inputting said data MI1, MI2, MI3 and MI4 by said first nonlinear transformation step, computing B=MI1⊕MI2⊕MI3⊕MI4 and outputting B=[B1, B2, B3, B4].
 35. The recording medium as claimed in claim 34, wherein said second linear transformation step is a key-dependent linear transformation step of inputting 4m-bit key data k2 in said key storage means and performing an XOR operation by said key data k2 in the computation of said B.
 36. The recording medium as claimed in any one of claims 21, 22 or 23, wherein said n×n matrix is an 8×8 matrix.
 37. The recording medium as claimed in claim 36, wherein said second linear transformation step is a step of providing its eight pieces of output data B1 to B8 by obtaining four pieces of said output subdata B1, B2, B3 and B4 through XOR operations using six of eight pieces of subdata A1, A2, . . . , A8 by said first nonlinear transformation step and by obtaining four pieces of said output subdata B5, B6, B7 and B8 through XORing using five of said eight pieces of subdata by said first nonlinear transformation step.
 38. The recording medium as claimed in claim 37, wherein said second linear transformation step is a key-dependent linear transformation step of inputting key data k2=[k21, k22, k23, k24, k25, k26, k27, k28] stored in said key storage means and performing XOR operations by said key data k21, k22, k23, k24, k25, k26, k27 and k28 for obtaining said output subdata [B1, B2, B3, B4, B5, B6, B7, B8].
 39. The recording medium as claimed in claim 37, wherein: said first nonlinear step is a step of transforming eight pieces of m-bit subdata in1 to in8 by said splitting means to eight pieces of 8 m-bit data MI1=[00 . . . 0₍₂₎, A1, A1, A1, A1, A1, 00 . . . 0₍₂₎, A1], MI2=[A2, 00 . . . 0₍₂₎, A2, A2, A2, A2, A2, 00 . . . 0₍₂₎] MI3=[A3, A3, 00 . . . 0₍₂₎, A3, 00 . . . 0₍₂₎, A3, A3, A3], MI4=[A4, A4, A4, 00 . . . 0₍₂₎, A4, 00 . . . 0₍₂₎, A4, A4], MI5=[A5, 00 . . . 0₍₂₎, A5, A5, A5, 00 . . . 0₍₂₎, 00 . . . 0₍₂₎, A5], MI6=[A6, A6, 00 . . . 0₍₂₎, A6, A6, A6, 00 . . . 0₍₂₎, 00 . . . 0₍₂₎] MI7=[A7, A7, A7, 00 . . . 0₍₂₎, 00 . . . 0₍₂₎, A7, A7, 00 . . . 0₍₂₎], and MI8=[00 . . . 0₍₂₎, A8, A8, A8, 00 . . . 0₍₂₎, 00 . . . 0₍₂₎, A8, A8]; and said second linear transformation step is a step of inputting said data MI1 to MI8 by said first nonlinear transformation step, computing B=MI1⊕MI2⊕MI3⊕MI4⊕MI5⊕MI6⊕MI7⊕MI8 and outputting B=[B1, B2, B3, B4, B5, B6, B7, B8].
 40. The recording medium as claimed in claim 39, wherein said second linear transformation step is a key-dependent linear transformation step of inputting 8 m-bit key data k1 stored in said key storage means and performing an XOR operation by said key data k2 for obtaining said B.
 41. The data transformation device as claimed in any one of claims 1, 2 or 3, which further comprises: G-function means composed of M rounds means which are supplied with a master key K and generate intermediate values L_(j+1)(j=0, 1, . . . , M−1); intermediate value storage means for temporarily storing said each intermediate value L_(j) from said G-function means; and H-function means equipped with a partial information extracting function of generating N subkeys from a plurality of L_(j) and for storing them as said plural pieces of key data in said key storage means; wherein: said G-function means takes said master key as at least one part of Y₀, inputs Y_(j) and v_(j) in the output (L_(j), Y_(j), v_(j)) from the j-th round, into its (j+1)-th round (where j=0, 1, . . . , M−1) diffuses the inputs and outputs L_(j+1), Y_(j+1) and v_(j+1); and said H-function means inputs i (where i=1, 2, . . . , N) and L₁, L₂, . . . , L_(M) stored in said intermediate value storage means, extracts information about bit positions of subkeys k_(i) determined by said i from said L₁, . . . , L_(M), and outputs said subkeys, said subkeys being stored in said key storage means.
 42. The data transformation device as claimed in any one of claims 1, 2 or 3, which further comprises: G-function means composed of M rounds means which are supplied with a master key K and generate intermediate values L_(j+1)j=0, 1, . . . , M−1); H-function means equipped with a partial information extracting function of generating subkeys from a plurality of L_(j) generated by said G-function means; and intermediate value storage means for storing outputs from said H-function means as values corresponding to said subkeys k_(i); wherein: said G-function means takes said master key as at least one part of Y₀, inputs Y_(j) and v_(j) in the output (L_(j), Y_(j), v_(j)) from the j-th round, into its (j+1)-th round, diffuses the inputs and outputs L_(j+1), Y_(j+1) and v_(j+1); and said H-function means inputs i, q and L_(j) (1≦i≦N, 1≦j≦M, 1≦q≦the numbers of bits k_(i)), and extracts bit position information defined by i and q from L_(j) to provide information about the bit position q of the subkeys k_(i), said subkeys being stored as said plurality of key data in said key storage means.
 43. The data transformation device as claimed in claim 41, wherein said G-function means comprises: data splitting means for splitting the input Y_(j) into two blocks (Y_(j) ^(L), Y_(j) ^(R)) and for outputting Y_(j) ^(L) as v_(j+1); XOR means for computing Y_(j) ^(R)⊕v_(j) from said Y_(j) ^(R) and said v_(j); data diffusion means supplied with said Y_(j) ^(L) and the output from said XOR means, for diffusing them and for outputting the result as L_(j+1); and data swapping means for rendering said Y_(j) ^(R) into Y_(j+1) ^(L) and said L_(j+1) into Y_(j+1) ^(R) and for concatenating said Y_(j+1) ^(L) and said Y_(j+1) ^(R) into an output Y_(j+1)=(Y_(j+1) ^(L), Y_(j+1) ^(R)).
 44. The data transformation device as claimed in claim 41, wherein said H-function means comprises: bit splitting means for splitting bitwise each L_(j) read out of said intermediate value storage means into (t _(j) ⁽¹⁾ , t _(j) ⁽²⁾ , . . . , t _(j) ^((2N)))=L _(j)(j=1, 2, . . . , M); and bit combining means for combining the resulting (t₁ ^((i)), t₁ ^((N+i)), t₂ ^((i)), t₂ ^((N+i)), . . . , t_(M) ^((i)), t_(M) ^((N+i)) and for outputting subkeys k _(i)=(t ₁ ^((i)) , t ₁ ^((N+i)) , t ₂ ^((i)) , t ₂ ^((N+i)) , . . . , t _(M) ^((i)) , t _(M) ^((N+i))) (i=1, 2, . . . , N).
 45. The data transformation device as claimed in claim 42, wherein said H-function means comprises: bit splitting means for splitting said each L_(j) bitwise into (t _(j) ⁽¹⁾ , t _(j) ⁽²⁾ , . . . , t _(j) ^((2N)))=L _(j)(j=1, 2, . . . M); and bit combining means for combining said bits (t_(j) ⁽¹⁾, t_(j) ⁽²⁾, . . . , t_(j) ^((2N))) so that information about the bit position defined by the bit position q of k_(i) for i becomes the bit position of k_(i), and for outputting subkeys k _(i)=(t ₁ ^((i)) , t ₁ ^((N+i)) , t ₂ ^((i)) , t ₂ ^((N+i)) , . . . t _(M) ^((i)) , t _(M) ^((N+i))) (i=1, 2, . . . , N).
 46. The data transformation device as claimed in claim 41, wherein said G-function means is means for performing the following operation: For (L_(j+1), (Y_(j+1), v_(j+1)))=G(Y_(j), v_(j)) (0≦j≦M−1), the output result ((Y_(j)⁽¹⁾, Y_(j)⁽²⁾, Y_(j)⁽³⁾, v_(j)) → ((L_(j + 1)⁽¹⁾, L_(j + 1)⁽²⁾, L_(j + 1)⁽³⁾, L_(j + 1)⁽⁴⁾), [(Y_(j + 1)⁽¹⁾, Y_(j + 1)⁽²⁾, Y_(j + 1)⁽³⁾, Y_(j + 1)⁽⁴⁾), v_(j + 1)])

 where: Y_(j + 1)^((i)) = f(Y_(j)^((i)))

 (i=1, 2, 3, 4) L_(j + 1)⁽⁰⁾ = v_(j)

L_(j + 1)^((i)) = f(L_(j + 1)^((i − 1))) ⊕ Y_(j + 1)^((i))

 (i=1, 2, 3, 4) v_(j + 1) = L_(j + 1)⁽⁴⁾;

and said H-function means is means for performing the following operation: For k_(i)=H(i, L₁, L₂, . . . , L_(M)) q_(4i + j) = L_(j + 1)^((i + 1))

 (i=0, 1, 2, 3, 4) (t _(i) ⁽⁰⁾ , t _(i) ⁽¹⁾ , . . . , t _(i) ⁽⁷⁾)=q_(i)(i=0, 1, . . . , 31) k_((i + 1)) = (t_(0 + (i  mod2))^(([i/2])), t_(2 + (imod2))^(([i/2])), …  , t_(30 + (imod2))^(([i/2])))

 (i=0, 1, . . . , N−1).
 47. An encryption key scheduling device for scheduling subkeys from a master key, comprising: G-function means composed of M rounds means which are supplied with a master key K and generate intermediate values L_(j) (j=0, 1, . . . , M−1); intermediate value storage means for temporarily storing said each intermediate value L_(j) from said G-function means; and H-function means equipped with a partial information extracting function of generating N subkeys from a plurality of L_(j); wherein: said G-function means takes said master key as at least one part of Y₀, inputs Y_(j) and v_(j) in the output (L_(j), Y_(j), v_(j)) from the j-th round, into its (j+1)-th round (where j=0, 1, . . . , M−1) diffuses the inputs and outputs L_(j+1), Y_(j+1) and v_(j+1); and said H-function means inputs i (where i=1, 2, . . . , N) and L₁, L₂, . . . , L_(M) stored in said intermediate value storage means, extracts information about bit positions of subkeys k_(i) determined by said i from said L₁, . . . , L_(M) and outputs said subkeys.
 48. An encryption key scheduling device for scheduling subkeys from a master key, comprising: G-function means composed of M rounds means which are supplied with a master key K and generate intermediate values L_(j+1)(j=0, 1, . . . , M−1); H-function means equipped with a partial information extracting function of generating subkeys from a plurality of L_(j) generated by said G-function means; and intermediate value storage means for storing outputs from said H-function means as values corresponding to said subkeys k_(i); wherein: said G-function means takes said master key as at least one part of Y₀, inputs Y_(j) and v_(j) in the output (L_(j), Y_(j), v_(j)) from the j-th round, into its (j+1)-th round, diffuses the inputs and outputs L_(j+1), Y_(j+1) and v_(j+1); and said H-function means inputs i, q and L_(j) (1≦i≦N, 1≦j≦M, 1≦q≦the numbers of bits k_(i)), and extracts bit position information defined by i and q from L_(j) to provide information about the bit position q of the subkeys k_(i).
 49. The encryption key scheduling device as claimed in claim 47 or 48, wherein said G-function means comprises: data splitting means for splitting the input Y_(j) into two blocks (Y_(j) ^(L), Y_(j) ^(R)) and for outputting Y_(j) ^(L) as v_(j+1); XOR means for computing Y_(j) ^(R)⊕v_(j) from said Y_(j) ^(R) and said v_(j); data diffusion means supplied with said Y_(j) ^(L) and the output from said XOR means, for diffusing them and for outputting the result as L_(j+1); and data swapping means for rendering said Y_(j) ^(R) into Y_(j+1) ^(L) and said L_(j+1) into Y_(j+1) ^(R) and for concatenating said Y_(j+1) ^(L) and said Y_(j+1) ^(R) into an output Y_(j+1)=(Y_(j+1) ^(L), Y_(j+1) ^(R)).
 50. The encryption key scheduling device as claimed in claim 47, wherein said H-function means comprises: bit splitting means for splitting bitwise each L_(j) read out of said intermediate value storage means into (t _(j) ⁽¹⁾ , t _(j) ⁽²⁾ , . . . , t _(j) ^((2N)))=L _(j) (j=1, 2, . . . , M); and bit combining means for combining the resulting (t₁ ^((i)), t₁ ^((N+i)), t₂ ^((i)), t₂ ^((N+i)), . . . , t_(M) ^((i)), t_(M) ^((N+i))) and for outputting subkeys k _(i)=(t ₁ ^((i)) , t ₁ ^((N+i)) , t ₂ ^((i)) , t ₂ ^((N+i)) , . . . , t _(M) ^((i)) , t _(M) ^((N+i))) (i=1, 2, . . . ,N).
 51. The encryption key scheduling device as claimed in claim 48, wherein said H-function means comprises: bit splitting means for splitting said each L_(j) bitwise into (t _(j) ⁽¹⁾ , t _(j) ⁽²⁾ , . . . , t _(j) ^((2N)))=L_(j) (j=1, 2, . . . , M); and bit combining means for combining said bits (t_(j) ⁽¹⁾, t_(j) ⁽²⁾, . . . t_(j) ^((2N))) so that information about the bit position defined by the bit position q of k_(i) for i becomes the bit position of k_(i), and for outputting subkeys k _(i)=(t ₁ ^((i)) , t ₁ ^((N+i)) , t ₂ ^((i)) , t ₂ ^((N+i)) , . . . , t _(M) ^((i)) , t _(M) ^((N+i))) (i=1, 2, . . . , N).
 52. The encryption key scheduling device as claimed in claim 47 or 48, wherein said G-function means is means for performing the following operation: For (L_(j+1), (Y_(j+1), v_(j+1)))=G(Y_(j), v_(j)) (0≦j≦M−1), the output result ((Y_(j)⁽¹⁾, Y_(j)⁽²⁾, Y_(j)⁽³⁾), v_(j)} → ((L_(j + 1)⁽¹⁾, L_(j + 1)⁽²⁾, L_(j + 1)⁽³⁾, L_(j + 1)⁽⁴⁾,), [(Y_(j + 1)⁽¹⁾, Y_(j + 1)⁽²⁾, Y_(j + 1)⁽³⁾, Y_(j + 1)⁽⁴⁾), v_(j + 1)])

 where: Y_(j + 1)^((i)) = f(Y_(j)^((i)))

 (i=1, 2, 3, 4) L _(j+1) ⁽⁰⁾ =v _(j) L_(j + 1)^((i)) = f(L_(j + 1)^((i − 1))) ⊕ Y_(j + 1)^((i))

 (i=1, 2, 3, 4) v_(j + 1) = L_(j + 1)⁽⁴⁾;

and said H-function means is means for performing the following operation: For k_(i)=H(i, L₁, L₂, . . . , L_(M)) q_(4i + j) = L_(j + 1)^((i + 1))

 (i=0, 1, 2, 3) t_(i) ⁽⁰⁾ , t _(i) ⁽¹⁾ , . . . , t _(i) ⁽⁷⁾)=q ₁ (i=0, 1, . . . , 31) k_((i + 1)) = (t_(0 + (i  mod  2))^(([i/2])), t_(2 + (i  mod  2))^(([i/2])), …  , t_(30 + (i  mod  2))^(([i/2])))  (i = 0, 1, …  , N − 1).


53. A recording medium on which there is recorded a program for a computer to implement an encryption key scheduling device which inputs a master key K and generates therefrom a plurality of subkeys k_(i) (i=1, . . . , N), said program comprising: an intermediate key generation process in which said master key K as Y₀ and a constant v₀ are input, diffusion processing of said inputs is repeated in cascade a plurality of times and an intermediate value L_(j) (j=1, 2, . . . , M) is output for each diffusion processing; a process of storing said intermediate key L_(j) in a storage part; and a subkey generation process in which, upon storage of a part predetermined number of intermediate value L₁ to L_(M) in said intermediate value storage part a process in which information about bit positions of subkeys k_(i) determined by i from said L₁ to L_(M) is extracted and said subkeys k_(i) are generated.
 54. A recording medium on which there is recorded a program for a computer to implement an encryption key scheduling device which inputs a master key K and generates therefrom a plurality of subkeys k_(i) (i=1, . . . , N), said program comprising: an intermediate key generation process in which said master key K as Y₀ and a constant v₀ are input, diffusion processing of said inputs is repeated in cascade a plurality of times and an intermediate value L_(j) (j=1, 2, . . . , M) is output for each diffusion processing; a process in which, upon each generation of said intermediate value L_(i), information about the bit position of said L_(j) defined by i of said subkeys k_(i) and the bit position q of said k_(i) is extracted as bit position information for said k_(i) and is stored in an intermediate value storage part; and a process in which, upon determination of the information about each bit position of each of said subkeys k_(i) in said storage part, said subkey k_(i) is output. 